Published on June 8th, 2020 📆 | 4923 Views ⚑
0OAuth Attacks Bypass MFA Protection
Whenever a phishing attack hits the headlines, the advice is always the same: train your employees to be suspicious, and use multi-factor authentication (MFA), followed by a mandatory discussion of how passwords arenât enough to guarantee security anymore. This is generally good advice, but donât be lulled into a false sense of security: MFA isnât watertight, and two stories surfaced in May to prove it.
Many online services today have turned their back on repeated password entry, instead uâing OAuth. This is an authorization mechanism that lets one site interact with another on your behalf, and itâs commonly used to sign into third party websites.
For example, a site supporting Google-based logins offers a âsign in with Googleâ option that redirects you to Googleâs sign-in screen if youâre not already signed into your Google account. Itâs a way of enabling you to sign up for a service without filling out a new username and password form.
After youâve signed into your Google account, the search giant returns you to the third party site with a request token. The third party site then shows that token to Google, which grants it an access token that lets it access the information youâve authorized it to see in your account (in this case, your email address, to confirm that youâre signing in with your Google account). This token gives the site access to that information for a limited time, at which point youâll have to repeat the process.
Google allows people to protect their accounts with MFA using its authenticator app, which protects this third party relationship too. Someone trying to sign into the third party site using your Google account would need your phone to complete the sign-in.
Itâs possible to use OAuth to get around MFA, though. Anti-phishing company Cofense published a blog post showing how phishers were emailing their targets with links to documents that appeared to show a payment bonus. The link took the victim to a sign-in page using Microsoftâs OAuth-based Microsoft Graph authorization mechanism, but when the user entered their Microsoft account details, the redirect information in the link went to a fraudulent domain hosted in Bulgaria. The request that the fraudulent link made to Microsoft also gives it permission to refresh its token whenever it wants, effectively granting the cyber-criminals behind this scam permanent access to the victimâs Microsoft account.
âThe OAuth2 phish is a relevant example of adversary adaptation,â explained Cofense. âNot only is there no need to compromise credentials, but touted security measures such as MFA are also bypassed; it is users themselves who unwittingly approve malicious access to their data.â
Single sign-on company Okta also published a demo showing how a malicious browser extension could be used to intercept the request token granted by a site like Google. The extension could then send the token to the attacker, who could use it to access the third party site. There are some protections to help prevent this kind of attack. Okta recommends Proof Key for Code Exchange (PXCE), an extension to OAuth that checks an additional secret when converting a request token to an access token.
So, MFA can help increase your security level, but it isnât enough on its own. Scanning for phishing emails and training users continue to be vital components in multi-layered defense against cyber-attackers.
Gloss