logo svg
logo

OAuth From Security Perspective

Analyzing OAuth security: A deep dive into OAuth hijacking via Google One Tap Sign-in and how to defend against it.

Hossam Ahmed

Hossam Ahmed

Featured Image

What's OAuth?

OAuth is an open-standard authorization protocol or framework that provides applications the ability for “secure designated access.” For example, you can tell Facebook that it’s OK for deepstrike.io to access your profile or post updates to your timeline without having to give DeepStrike your Facebook password. OAuth can also be used for authentication; for example, to log into your application using social sign-in feature [ Google, Facebook, Microsoft, etc ].

Overview of the OAuth 2.0 protocol

OAuth is a complex security protocol, with different components sending pieces of information to each other in a precise balance akin to a technological dance. There are two major steps to an OAuth transaction: issuing a token and using a token. The token represents the access that's been delegated to the client and it plays a central role in every part of OAuth 2.0

The OAuth ecosystem consists of actors and components that communicate with each other.

OAuth Actors: [ Clients, Authorization server, Protected resources, and resource owners ]

  1. An OAuth client is an application that makes requests to access protected resources on behalf of a user or on its own behalf. OAuth clients can be anything from a web server application, a browser-based application, or a mobile app.

    Note: T
    he client doesn't have to understand the token nor should it ever need to inspect the tokens contents. Instead, the client uses the token as an opaque string.
  2. An OAuth protected resource is any data or service that requires controlled access, typically hosted on a resource server that enforces access controls via OAuth tokens.

    Resource Server: This is the server hosting the protected resources. It is responsible for handling requests to access these resources, validating access tokens provided by clients, and serving the resources to clients based on the access granted by these tokens.
  3. In the context of OAuth, the resource owner is an entity that can grant access to a protected resource. Typically, this is the user who owns the data or has control over it.
  4. The OAuth Authorization Server is a crucial component in the OAuth 2.0 protocol, the authorization server authenticates the resource owner and client, provides mechanisms for allowing resource owners to authorize clients and issues tokens to the client.

OAuth components: [ Tokens, Scopes, and Authorization grants ]

OAuth Vulnerabilities

There are vulnerabilities that can occur in the clients as well as the other OAuth actors, including the OAuth tokens. An example of the vulnerabilities that can occur on the client side is: OAuth Hijacking via unverified id_token

Now, we're going to talk about OAuth Hijacking via the "Login with Google One Tap sign-in" feature and how to detect it.

At first; what is GOOGLE One Tap Sign-In?

Google One Tap is a new feature that allows users to create an account or log in to the website with a single click. It is also known as YOLO (You Only Login Once). The login widget appears as a popup, and it will prompt the users to sign in or sign up with the existing Google account.

Google one tap login

Google one tap login



How Does GOOGLE One Tap Sign-In Work?

In the server-side, how does the developer deal with the ID token in order to verify if this token is for a person who is already registered in the application or not?

At first, what’s inside in the ID token Payload?

Claims

Now, Validation of an ID token in the back-end requires several steps:

Attack scenario:

An attacker can create a client on the "Google Developers Platform" and configure Google One Tap Sign-In in their application to exploit a misconfiguration, such as failing to check the "audience" value. This can lead to account takeovers if the user has registered with both the vulnerable application and the attacker’s application through Google One Tap Sign-In.

Finally

To defend against OAuth hijacking, implement these key security measures:

background
Let's hack you before real hackers do

Stay secure with DeepStrike penetration testing services. Reach out for a quote or customized technical proposal today

Contact Us