Researchers detailed how OAuth, or Open Authentication framework, could be abused by hackers to perform a single-click account hijacking through its process flow.
OAuth is a platform that manages identities and secures online areas of third-party services across the online landscape. Service providers use OAuth for temporary and secure access tokens instead of the usual account user and password combination. However, researchers found that hackers could exploit the framework’s process flow to steal tokens and execute a one-click account hijacking.
The details of this new study were shared by security experts, along with some recommendations on how organisations could protect themselves from being potentially compromised.
According to the researchers, the hackers abuse OAuth through a combination of its process flow to steal authorisation codes or tokens of users.
Despite browsing giants’, such as Google and Firefox, efforts to disrupt all potential pathways to these account hijacking attacks on OAuth, it is still a common threat among users globally.
The browser developers have implemented solutions such as Content Security Policy (CSP) and Trusted Types that could allow OAuth to reject risky data values that could trigger DOM-based XSS and credentials stealing. But the researchers noted that the attackers can still break OAuth’s sign-in procedure, leading to the same adverse result they initially avoided.
A skilled attacker must first disrupt the process between the system that provides tokens and the service provider that receives and consumes them. Usually, the attackers achieve this by changing the current state value sent via a malicious link sent to the victim spoofing a sign-in page but still using the valid state of the attacker.
If a victim bites on the lure, the process would be successfully disrupted, which allows the attacker to proceed to their next step, which includes the single-click account hijacking. Other exploitation attacks are also tested by the researchers, including an XSS attack on a third-party domain that collects the URL data while an authentication process is in progress and abusing the APIs that collect URLs.
The experts said that OAuth clients could reduce the chance of being victimised by reviewing OAuth 2.0’s security practice guide, which could help in obtaining knowledge on securing themselves against the account hijacking risks.
