University of Trier researchers have discovered several vulnerabilities in the OAuth 2.0 authentication protocol, widely used on social networking sites to authenticate users, which could enable hackers to subvert single sign-on systems.
The two attacks break authorization and authentication in OAuth, and are also present in the new OpenID Connect standard and can be exploited in practice to capture credentials to impersonate a user or access user data.
In the first attack, identity providers (IdP) inadvertently forward user credentials to the relying party (RP) or the attacker. "This severe attack is caused by a logical flaw in the OAuth 2.0 protocol and depends on the presence of malicious identity provider," the researchers note. In order to fix the vulnerability, only HTTP 303 codes should be permitted in OAuth, because the 303 redirect is defined unambiguously to drop the body of an HTTP POST request.
In the second attack, a network attacker can impersonate any victim. "The attacker confuses an RP about which IdP the user chose at the beginning of the login/authorization process in order to acquire an authentication code or access token which can be used to impersonate the user or access user data," the researchers warn.
The man-in-the-middle attack enables a hacker to change user data and fool the RP into treating it as the IdP the user wants.
The researchers say OAuth should include the identity of the IdP in the redirect in some form as a corrective measure.
From SC Magazine (UK)
View Full Article
Abstracts Copyright © 2016 Information Inc., Bethesda, Maryland, USA
No entries found