0% found this document useful (0 votes)
115 views42 pages

Jenko Hwong - New Phishing Attacks Exploiting OAuth Authentication Flows

New Phishing Attacks Exploiting OAuth Authorization Flows The document discusses new phishing attacks that exploit OAuth authorization flows to access cloud applications and services. Attackers are setting up fake authorization pages that mimic real identity provider login screens to steal user credentials and OAuth tokens. This allows them to hijack user sessions and access APIs without needing to steal passwords. Controls like MFA, link analysis, and credential validation are needed to detect these attacks.

Uploaded by

Pac
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
115 views42 pages

Jenko Hwong - New Phishing Attacks Exploiting OAuth Authentication Flows

New Phishing Attacks Exploiting OAuth Authorization Flows The document discusses new phishing attacks that exploit OAuth authorization flows to access cloud applications and services. Attackers are setting up fake authorization pages that mimic real identity provider login screens to steal user credentials and OAuth tokens. This allows them to hijack user sessions and access APIs without needing to steal passwords. Controls like MFA, link analysis, and credential validation are needed to detect these attacks.

Uploaded by

Pac
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 42

New Phishing Attacks Exploiting OAuth

Authorization Flows

August 7, 2021

Jenko Hwong
[email protected]
@jenkohwong
$ az ad signed-in-user show

[
{
"jobTitle": "Researcher",
"department": "Threat Research Labs",
"company": "Netskope, Inc.",
"email": "[email protected]"
"twitter": "@jenkohwong",

"background": "vulnerability scanning, AV/AS, pen-testing/exploits,


L3/4 appliances, threat intel, windows security",
}
]
Phishing Evolution: smtp, fake domain, ssl cert, user/pwd
in the beginning...
Phishing Evolution: apps, fake domain, ssl cert, user/pwd
+mobile

1 phish

smtp, sms, IM, chat...

steal attacker
username
password 2
victim
3 browse, auth

http(s)

fake website
Phishing Evolution: apps, fake domain, ssl cert, user/pwd
+cloud

1 phish

smtp, sms, IM, chat...

steal attacker
username
password 2
victim
3 browse, auth

http(s)

fake website
hosted in
cloud
Phishing Evolution: apps, fake domain, ssl cert, user/pwd
+cloud

1 phish

smtp

steal attacker
username
password 2
victim
3 browse, auth

http(s)

fake website
hosted in
cloud
Phishing Evolution: fake domain, apps, ssl cert, user/pwd
controls
link analysis (domain/URLs/certs)
1 phish sender reputation

smtp, sms, IM, chat...

steal attacker
username
password 2
victim
3 browse, auth
MFA
IP allow policies link analysis (domain/URLs/certs)
http(s) content inspection (creds)

fake website
Phishing Evolution: OAuth 2.0 auth code grant[1]
+cloud app authorization

Azure AD Google Identity


OAuth Tokens
3 access token
Authenticate and Authorize
refresh token Identity Platform 2 Authenticate (MFA)
Authorize permissions (scopes)

Request Authorization
1 Request permissions (scopes)
Redirect user to Identity Platform
Application (authorization service) User
(client, device)
[1] https://datatracker.ietf.org/doc/html/rfc6749#page-24
Phishing Evolution: OAuth 2.0 auth code grant
+cloud app authorization: Payments
Phishing Evolution: OAuth 2.0 auth code grant
+cloud app authorization: Payments
Phishing Evolution: OAuth 2.0 auth code grant
+cloud app authorization: Payments
Phishing Evolution: OAuth 2.0 auth code grant
+cloud app authorization: GCP CLI

$ gcloud auth login [email protected] --launch-browser --force

Your browser has been opened to visit:

https://accounts.google.com/o/oauth2/auth?
response_type=code&client_id=32555940559.apps.googleusercontent.com&redirect_uri=http%3A%2F
%2Flocalhost%3A8085%2F&scope=openid+https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fwww.googleapis.com%2Fauth
%2Fuserinfo.email+https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fwww.googleapis.com%2Fauth%2Fcloud-platform+https%3A%2F
%2Fwww.googleapis.com%2Fauth%2Fappengine.admin+https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fwww.googleapis.com%2Fauth
%2Fcompute+https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fwww.googleapis.com%2Fauth
%2Faccounts.reauth&state=IMWlTK5Vlfab5gl4hKrleOxsylObop&access_type=offline&code_challenge=
gU8ezZryqHCwAPyai2OLKaU-iPvbR62biGjQgGV6IRE&code_challenge_method=S256
Phishing Evolution: OAuth 2.0 auth code grant
+cloud app authorization: GCP CLI
Phishing Evolution: OAuth 2.0 auth code grant
+cloud app authorization: GCP CLI
Phishing Evolution
+cloud app authorization: GCP CLI
Phishing Evolution: OAuth 2.0 auth code grant
+cloud app authorization: GCP CLI

$ gcloud auth login [email protected] --launch-browser --force

Your browser has been opened to visit:

https://accounts.google.com/o/oauth2/auth?
response_type=code&client_id=32555940559.apps.googleusercontent.com&redirect_uri=http%3A%2F
%2Flocalhost%3A8085%2F&scope=openid+https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email+https
%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcloud-platform+https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fwww.googleapis.com%2Fauth
%2Fappengine.admin+https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fwww.googleapis.com%2Fauth%2Fcompute+https%3A%2F
%2Fwww.googleapis.com%2Fauth
%2Faccounts.reauth&state=IMWlTK5Vlfab5gl4hKrleOxsylObop&access_type=offline&code_challenge=gU8ezZry
qHCwAPyai2OLKaU-iPvbR62biGjQgGV6IRE&code_challenge_method=S256

You are now logged in as [[email protected]].

$
Phishing Evolution: fake OAuth login
+cloud app authorization
Phishing Evolution: fake OAuth login, check creds
+cloud app authorization

● Real-time creds validation (APIs)[1]

Azure AD Google Identity

● Based on pass/fail, redirect user to


valid domains (stealth, creds
validation upfront)

[1] https://threatpost.com/office-365-phishing-attack-leverages-real-time-active-directory-validation/159188/
Phishing Evolution: fake OAuth login, check creds
+cloud app authorization

● Real-time creds validation (APIs)[1]

Azure AD Google Identity

● Controls
○ MFA, IP allow policies
○ link analysis (domain/URLs/certs)
○ content inspection (creds)
○ sender reputation

[1] https://threatpost.com/office-365-phishing-attack-leverages-real-time-active-directory-validation/159188/
Phishing Evolution: OAuth 2.0 auth code grant
+cloud app authorization protocol -- why do we care ?
1. Hijack session tokens, not creds
Oauth tokens 2. REST APIs <=> remote exploit
{ "access_token": "ya29.a0ARrdaM9...",
6
"refresh_token": "1//06S3lSKyEHY…", vs endpoint
"scope": "https://www.googleapis...",
Azure AD Google Identity
"expires_in": 3599,
"token_type": "Bearer"
3 Authenticate and Authorize
GET https://accounts.google.com/o/oauth2/v2/auth?
}
Identity Platform client_id=32555940559.apps.googleusercontent.com&
response_type=code&
scope=https://www.googleapis.com/auth/cloud-platform&
Request oauth tokens 5 access_type=offline&redirect_uri=www.myapp.com:9000
POST https://www.googleapis.com/oauth2/v4/token
client_id=32555940559.apps.googleusercontent....& (authenticate, MFA, consent to scopes)
scope=https://www.googleapis.com/auth/cloud...& 4 Redirect URL with Authorization Code
GET http://www.myapp.com:9000?
client_secret=JqQXA298PB…&
code=AwABAAAAvPM1KaP...
code=AwABAAAAvPM1KaP…&
redirect_uri=www.myapp.com:9000

2 Redirect to Identity Platform

1 Login / Checkout / Install App

Application User
(client, device)
Phishing Evolution: OAuth 2.0 illicit consent grants
+cloud app authorization protocol
1. Malicious registered application
Oauth tokens 2. Get user consent for wide
{ "access_token": "ya29.a0ARrdaM9...",
6
"refresh_token": "1//06S3lSKyEHY…", scopes / permissions
"scope": "https://www.googleapis...",
Azure AD Google Identity
"expires_in": 3599,
"token_type": "Bearer"
3 Authenticate and Authorize
GET https://accounts.google.com/o/oauth2/v2/auth?
}
Identity Platform client_id=32555940559.apps.googleusercontent.com&
response_type=code&
scope=https://www.googleapis.com/auth/cloud-platform&
Request oauth tokens 5 access_type=offline&redirect_uri=www.myapp.com:9000
POST https://www.googleapis.com/oauth2/v4/token
client_id=32555940559.apps.googleusercontent....& (authenticate, MFA, consent to scopes)
scope=https://www.googleapis.com/auth/cloud...& 4 Redirect URL with Authorization Code
GET http://www.myapp.com:9000?
client_secret=JqQXA298PB…&
code=AwABAAAAvPM1KaP...
code=AwABAAAAvPM1KaP…&
redirect_uri=www.myapp.com:9000

2 Redirect to Identity Platform

1 Login / Checkout / Install App

Application User
(client, device)
Phishing Evolution: OAuth 2.0 illicit consent grants[1]
+cloud app authorization protocol
[2] 1. Malicious registered application
2. Get user consent for wide
scopes / permissions

Controls
1. Prevent users from
registering apps in AD
2. Prevent users from
consenting

[1] https://www.bleepingcomputer.com/news/security/phishing-attack-hijacks-office-365-accounts-using-oauth-apps/
[2] https://docs.microsoft.com/en-us/azure/active-directory/develop/application-consent-experience
Phishing Evolution: OAuth 2.0 device code authorization[1]
what's the purpose? to provide easier authentication/authorization on limited input devices e.g. smart
TVs

[1] https://datatracker.ietf.org/doc/html/rfc8628
“I think there's an RFC for that.”
which, when implemented, looks something like this on your TV
with the real sign-in on a computer or mobile phone
Unusability is the father of insecurity
Phishing Evolution: OAuth 2.0 device code authorization[1]
+cloud app authorization protocol

2 Azure AD Google Identity


Get user/device codes
Identity Platform

Retrieve 5 4 Authenticate and Authorize


oauth tokens 1. Goes to www.google.com/device
client_id 2. Enters: ZLGG-LOSP
device_code 3. Authenticates, including MFA

3 Instruct user to login


on computer/smartphone
"1. Go to www.google.com/device
2. Enter user code: ZLGG-LOSP"

1 Login

Device User
(client, app) [1] https://datatracker.ietf.org/doc/html/rfc8628
Demo: OAuth 2.0 device code authorization

● Dr. Nestori Syynimaa: https://o365blog.com/post/phishing/

● Usability => insecurity


● A different auth flow => opportunity
● Implementation quirks
Phishing Evolution: OAuth 2.0 device code authorization
+cloud app authorization protocol
Get user/device codes
POST
https://login.microsoftonline.com/comm
2
on/oauth2/devicecode?api-version=1.0
client_id=d3590ed6-52b3-4102-aeff-
aad2292ab01c&
resource=https://outlook.office365.com
Azure AD Google Identity
Poll for
oauth tokens Identity Platform
client_id

User/device codes
3 device_code 7 5 Authenticate and Authorize
1. Goes to www.google.com/device
{ "device_code": "AH-1NgM6boio...",
"verification_url":
6 Oauth tokens 2. Enters: ZLGG-LOSP
{ "access_token": "ya29.a0ARrdaM9...", 3. Authenticates, including MFA
"https://www.google.com/device", "refresh_token": "1//06S3lSKyEHY…",
"user_code": "ZLGG-LQSP", }
"expires_in": 1800,
"interval": 5 4 User code, verification URL
} manual instructions:
"1. Go to www.google.com/device
2. Enter: ZLGG-LOSP"

1 Login

Device User
(client, app)
Phishing Evolution: OAuth 2.0 device code authorization
+cloud app authorization protocol microsoft phish
Get user/device codes
POST
https://login.microsoftonline.com/comm
2
on/oauth2/devicecode?api-version=1.0
client_id=d3590ed6-52b3-4102-aeff-
aad2292ab01c&
resource=https://outlook.office365.com
Azure AD Google Identity
Poll for
oauth tokens Identity Platform
client_id

User/device codes
3 device_code 7 5 Authenticate and Authorize
1. Goes to www.google.com/device
{ "device_code": "AH-1NgM6boio...",
"verification_url":
6 Oauth tokens 2. Enters: ZLGG-LOSP
{ "access_token": "ya29.a0ARrdaM9...", 3. Authenticates, including MFA
"https://www.google.com/device", "refresh_token": "1//06S3lSKyEHY…",
"user_code": "ZLGG-LQSP", }
"expires_in": 1800,
"interval": 5 4 Phish
} "Here's your promotional product code:
1. Go to www.google.com/device
2. Enter: ZLGG-LOSP"

Device
XX 1 Login

User
(client, app)
Phishing Evolution: OAuth 2.0 device code authorization
+cloud app authorization protocol microsoft phish

Azure AD Google Identity


Access Token
{ "scope": "user_impersonation",
"resource": "https://management.azure.com", 9 Identity Platform
"access_token": "eyJ0eXAiOiJKV1QiLCJhbG...",
"refresh_token": "0.AUYAAknJ93kbWUyXs2…",
8
} Use refresh token to get new access token
for Azure
{ "refresh_token": "1//06S3lSKyEHY…",
"scope": "openid",
"grant_type": "refresh_token"
"resource": "https://management.azure.com",
"client_id": "d3590ed6-52b3-4102-aeff-aad2292ab01c",
}

Device
(client, app)
Phishing Evolution: OAuth 2.0 device code authorization
+cloud app authorization protocol microsoft phish
Get user/device codes
POST
https://login.microsoftonline.com/comm
2 1. No server infrastructure
on/oauth2/devicecode?api-version=1.0
client_id=d3590ed6-52b3-4102-aeff-
2. No registered application, use
aad2292ab01c&
resource=https://outlook.office365.com
existing vendor client app
Azure AD Google Identity
Poll for
3. No consent screen
oauth tokens Identity Platform
client_id

User/device codes
3 device_code 7 5 Authenticate and Authorize
1. Goes to www.google.com/device
{ "device_code": "AH-1NgM6boio...",
"verification_url":
6 Oauth tokens 2. Enters: ZLGG-LOSP
{ "access_token": "ya29.a0ARrdaM9...", 3. Authenticates, including MFA
"https://www.google.com/device", "refresh_token": "1//06S3lSKyEHY…",
"user_code": "ZLGG-LQSP", }
"expires_in": 1800,
"interval": 5 4 Phish
} "Here's your promotional product code:
1. Go to www.google.com/device
2. Enter: ZLGG-LOSP"

Device
XX 1 Login

User
(client, app)
Phishing Evolution: OAuth 2.0 device code authorization
+cloud app authorization protocol microsoft phish
Get user/device codes
POST
https://login.microsoftonline.com/comm
2 1. No server infrastructure
on/oauth2/devicecode?api-version=1.0
client_id=d3590ed6-52b3-4102-aeff-
2. No registered application, use
aad2292ab01c&
resource=https://outlook.office365.com
existing vendor client app
Azure AD Google Identity
Poll for
3. No consent screen
oauth tokens Identity Platform 4. Implicit, default scopes
client_id

User/device codes
3 device_code 7 5 Authenticate and Authorize
1. Goes to www.google.com/device
{ "device_code": "AH-1NgM6boio...",
"verification_url":
6 Oauth tokens 2. Enters: ZLGG-LOSP
{ "access_token": "ya29.a0ARrdaM9...", 3. Authenticates, including MFA
"https://www.google.com/device", "refresh_token": "1//06S3lSKyEHY…",
"user_code": "ZLGG-LQSP", }
"expires_in": 1800,
"interval": 5 4 Phish
} "Here's your promotional product code:
1. Go to www.google.com/device
2. Enter: ZLGG-LOSP"

Device
XX 1 Login

User
(client, app)
Phishing Evolution: OAuth 2.0 device code authorization
+cloud app authorization protocol microsoft phish
1. No server infrastructure
2. No registered application, use
existing vendor client app
3. No consent screen
4. Implicit, default scopes
5. Move laterally to other services
6. Logging limited (initial token
logged as sign-in, but lateral
move is not)
Phishing Evolution: OAuth 2.0 device code authorization
+cloud app authorization protocol microsoft phish
1. No server infrastructure
2. No registered application, use
existing vendor client app
3. No consent screen
4. Implicit, default scopes
5. Move laterally to other services
6. Logging limited (initial token
logged as sign-in, but lateral
move is not)
Phishing Evolution: OAuth 2.0 device code authorization
controls microsoft phish
1. Prevent: block verification URIs, use conditional access policies 1. No server infrastructure
● https://oauth2.googleapis.com/device/code 2. No registered application, use
● https://microsoft.com/devicelogin existing vendor client app
● https://login.microsoftonline.com/common/oauth2/deviceauth 3. No consent screen
● block access based on IP, location, endpoint characteristics 4. Implicit, default scopes
2. Detect 5. Move laterally to other services
● Difficult 6. Logging limited (initial token
3. Remediate logged as sign-in, but lateral
● API to revoke all oauth tokens for a user move is not)
Phishing Evolution: OAuth 2.0 device code authorization
controls microsoft phish
1. Prevent: block verification URIs, use conditional access policies 1. No server infrastructure
● https://oauth2.googleapis.com/device/code 2. No registered application, use
● https://microsoft.com/devicelogin existing vendor client app
● https://login.microsoftonline.com/common/oauth2/deviceauth 3. No consent screen
● block access based on IP, location, endpoint characteristics 4. Implicit, default scopes
2. Detect 5. Move laterally to other services
● Difficult 6. Logging limited (initial token
2. Remediate logged as sign-in, but lateral
● API to revoke all oauth tokens for a user move is not)
practical considerations

Short expiration of user/device codes (15-30mins)


● phishing numbers game
● incorporate hosted website, generate codes dynamically
● use images for user code (no javascript allowed in email clients)
OAuth 2.0 device code authorization
Microsoft Google

Server infrastructure None required None required

Application None needed, can use large # of existing Some limited vendor apps e.g. Chrome
registration apps

Consent screens No Partial (limited vendor apps)

Scopes Implicit, default scopes, wide-range Very limited (user profile, drive access to
app files, youtube info)

Lateral movement Easy to switch among large number of No: strict limited scopes for device code flow
services

Logging Partial (initial token access) Partial

Prevention block URIs, cond access block URIs, VPC perimeters

Detection Difficult Difficult

Remediation API to revoke user tokens Delete/recreate user


Ongoing Research Areas
● Other flows[1]
● Any usability "requirements"
● Bypass consent e.g. implicit grants
● Default scopes[2]
● Consent[3]
● Browser auto-login and scope
expansion e.g. Google uberauth
(2013)[4][5]

[1] https://datatracker.ietf.org/doc/html/rfc6749#page-23
[2] https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent
[3] https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent
[4] https://gist.github.com/arirubinstein/fd5453537436a8757266f908c3e41538
[5] https://duo.com/blog/beyond-the-vulnerabilities-of-the-application-specific-password-exploiting-google-chrome-s-oauth2-tokens
Thank you

Questions

Open Source Tools


● Repo: https://github.com/netskopeoss/phish_oauth
● License: BSD-3-Clause

Contact
[email protected]
● @jenkohwong
References
1.0 Evolving Phishing Attacks
1.1 A Big Catch: Cloud Phishing from Google App Engine and Azure App Service: https://www.netskope.com/blog/a-big-catch-cloud-phishing-from-google-app-engine-and-azure-
app-service
1.2 Microsoft Seizes Malicious Domains Used in Mass Office 365 Attacks: https://threatpost.com/microsoft-seizes-domains-office-365-phishing-scam/157261/
1.3 Phishing Attack Hijacks Office 365 Accounts Using OAuth Apps: https://www.bleepingcomputer.com/news/security/phishing-attack-hijacks-office-365-accounts-using-oauth-apps/
1.4 Office 365 Phishing Attack Leverages Real-Time Active Directory Validation: https://threatpost.com/office-365-phishing-attack-leverages-real-time-active-directory-validation/
159188/
1.5 Demonstration - Illicit Consent Grant Attack in Azure AD: https://www.nixu.com/blog/demonstration-illicit-consent-grant-attack-azure-ad-office-365
https://securecloud.blog/2018/10/02/demonstration-illicit-consent-grant-attack-in-azure-ad-office-365/
1.6 Detection and Mitigation of Illicit Consent Grant Attacks in Azure AD: https://www.cloud-architekt.net/detection-and-mitigation-consent-grant-attacks-azuread/
1.7 HelSec Azure AD write-up: Phishing on Steroids with Azure AD Consent Extractor: https://securecloud.blog/2019/12/17/helsec-azure-ad-write-up-phishing-on-steroids-with-azure-
ad-consent-extractor/
1.8 Pawn Storm Abuses OAuth In Social Engineering Attack: https://www.trendmicro.com/en_us/research/17/d/pawn-storm-abuses-open-authentication-advanced-social-
engineering-attacks.html

2.0 OAuth Device Code Flow


2.1 OAuth 2.0 RFC: https://tools.ietf.org/html/rfc6749
2.2 OAuth 2.0 Device Authorization Grant RFC: https://datatracker.ietf.org/doc/html/rfc8628
2.3 OAuth 2.0 for TV and Limited-Input Device Applications: https://developers.google.com/identity/protocols/oauth2/limited-input-device
2.4 OAuth 2.0 Scopes for Google APIs: https://developers.google.com/identity/protocols/oauth2/scopes
2.5 Introducing a new phishing technique for compromising Office 365 accounts: https://o365blog.com/post/phishing/#oauth-consent
2.6. Office Device Code Phishing: https://gist.github.com/Mr-Un1k0d3r/afef5a80cb72dfeaa78d14465fb0d333

3.0 Additional OAuth Research Areas


3.1 Poor OAuth implementation leaves millions at risk of stolen data: https://searchsecurity.techtarget.com/news/450402565/Poor-OAuth-implementation-leaves-millions-at-risk-of-
stolen-data
3.2 How did a full access OAuth token get issued to the Pokémon GO app?: https://searchsecurity.techtarget.com/answer/How-did-a-full-access-OAuth-token-get-issued-to-the-
Pokemon-GO-app

You might also like