H5N1 grouping of iii researchers – Ronghai Yang, Wing Cheong Lau, too Tianyu Liu – from the Chinese University of Hong Kong has found [PPT] that nearly of the pop mobile apps that back upward unmarried sign-on (SSO) service accept insecurely implemented OAuth 2.0.
OAuth 2.0 is an opened upward touchstone for ascendancy that allows users to sign inwards for other third-party services past times verifying existing identity of their Google, Facebook, or Chinese theatre Sina accounts.
This procedure enables users to sign-in to whatsoever service without providing additional usernames or passwords.
How are app developers required to implement OAuth? (Right Way)
Once access token is issued, the app server asks for the user's authentication information from Facebook, verify it too thence allow the user login amongst his/her Facebook credentials.
How are app developers truly implementing OAuth? (Wrong Way)
Instead of verifying OAuth information (Access Token) attached to the user's authentication information to validate if the user too ID provider are linked, the app server would alone cheque for user ID retrieved from the ID provider.
Due to this blunder, remote hackers tin download the vulnerable app, log inwards amongst their ain information too thence modify their username to the private they desire to target (which the hackers could estimate or Google) past times setting upward a server to modify the information sent from Facebook, Google or other ID providers.
Once done, this would grant the snoop full command of the information held inside the app, reports Black Hat Europe conference on Friday.
