Jenko Hwong - New Phishing Attacks Exploiting OAuth Authentication Flows
Jenko Hwong - New Phishing Attacks Exploiting OAuth Authentication Flows
Authorization Flows
August 7, 2021
Jenko Hwong
[email protected]
@jenkohwong
$ az ad signed-in-user show
[
{
"jobTitle": "Researcher",
"department": "Threat Research Labs",
"company": "Netskope, Inc.",
"email": "[email protected]"
"twitter": "@jenkohwong",
1 phish
steal attacker
username
password 2
victim
3 browse, auth
http(s)
fake website
Phishing Evolution: apps, fake domain, ssl cert, user/pwd
+cloud
1 phish
steal attacker
username
password 2
victim
3 browse, auth
http(s)
fake website
hosted in
cloud
Phishing Evolution: apps, fake domain, ssl cert, user/pwd
+cloud
1 phish
smtp
steal attacker
username
password 2
victim
3 browse, auth
http(s)
fake website
hosted in
cloud
Phishing Evolution: fake domain, apps, ssl cert, user/pwd
controls
link analysis (domain/URLs/certs)
1 phish sender reputation
steal attacker
username
password 2
victim
3 browse, auth
MFA
IP allow policies link analysis (domain/URLs/certs)
http(s) content inspection (creds)
fake website
Phishing Evolution: OAuth 2.0 auth code grant[1]
+cloud app authorization
Request Authorization
1 Request permissions (scopes)
Redirect user to Identity Platform
Application (authorization service) User
(client, device)
[1] https://datatracker.ietf.org/doc/html/rfc6749#page-24
Phishing Evolution: OAuth 2.0 auth code grant
+cloud app authorization: Payments
Phishing Evolution: OAuth 2.0 auth code grant
+cloud app authorization: Payments
Phishing Evolution: OAuth 2.0 auth code grant
+cloud app authorization: Payments
Phishing Evolution: OAuth 2.0 auth code grant
+cloud app authorization: GCP CLI
https://accounts.google.com/o/oauth2/auth?
response_type=code&client_id=32555940559.apps.googleusercontent.com&redirect_uri=http%3A%2F
%2Flocalhost%3A8085%2F&scope=openid+https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fwww.googleapis.com%2Fauth
%2Fuserinfo.email+https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fwww.googleapis.com%2Fauth%2Fcloud-platform+https%3A%2F
%2Fwww.googleapis.com%2Fauth%2Fappengine.admin+https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fwww.googleapis.com%2Fauth
%2Fcompute+https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fwww.googleapis.com%2Fauth
%2Faccounts.reauth&state=IMWlTK5Vlfab5gl4hKrleOxsylObop&access_type=offline&code_challenge=
gU8ezZryqHCwAPyai2OLKaU-iPvbR62biGjQgGV6IRE&code_challenge_method=S256
Phishing Evolution: OAuth 2.0 auth code grant
+cloud app authorization: GCP CLI
Phishing Evolution: OAuth 2.0 auth code grant
+cloud app authorization: GCP CLI
Phishing Evolution
+cloud app authorization: GCP CLI
Phishing Evolution: OAuth 2.0 auth code grant
+cloud app authorization: GCP CLI
https://accounts.google.com/o/oauth2/auth?
response_type=code&client_id=32555940559.apps.googleusercontent.com&redirect_uri=http%3A%2F
%2Flocalhost%3A8085%2F&scope=openid+https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email+https
%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcloud-platform+https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fwww.googleapis.com%2Fauth
%2Fappengine.admin+https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fwww.googleapis.com%2Fauth%2Fcompute+https%3A%2F
%2Fwww.googleapis.com%2Fauth
%2Faccounts.reauth&state=IMWlTK5Vlfab5gl4hKrleOxsylObop&access_type=offline&code_challenge=gU8ezZry
qHCwAPyai2OLKaU-iPvbR62biGjQgGV6IRE&code_challenge_method=S256
$
Phishing Evolution: fake OAuth login
+cloud app authorization
Phishing Evolution: fake OAuth login, check creds
+cloud app authorization
[1] https://threatpost.com/office-365-phishing-attack-leverages-real-time-active-directory-validation/159188/
Phishing Evolution: fake OAuth login, check creds
+cloud app authorization
● Controls
○ MFA, IP allow policies
○ link analysis (domain/URLs/certs)
○ content inspection (creds)
○ sender reputation
[1] https://threatpost.com/office-365-phishing-attack-leverages-real-time-active-directory-validation/159188/
Phishing Evolution: OAuth 2.0 auth code grant
+cloud app authorization protocol -- why do we care ?
1. Hijack session tokens, not creds
Oauth tokens 2. REST APIs <=> remote exploit
{ "access_token": "ya29.a0ARrdaM9...",
6
"refresh_token": "1//06S3lSKyEHY…", vs endpoint
"scope": "https://www.googleapis...",
Azure AD Google Identity
"expires_in": 3599,
"token_type": "Bearer"
3 Authenticate and Authorize
GET https://accounts.google.com/o/oauth2/v2/auth?
}
Identity Platform client_id=32555940559.apps.googleusercontent.com&
response_type=code&
scope=https://www.googleapis.com/auth/cloud-platform&
Request oauth tokens 5 access_type=offline&redirect_uri=www.myapp.com:9000
POST https://www.googleapis.com/oauth2/v4/token
client_id=32555940559.apps.googleusercontent....& (authenticate, MFA, consent to scopes)
scope=https://www.googleapis.com/auth/cloud...& 4 Redirect URL with Authorization Code
GET http://www.myapp.com:9000?
client_secret=JqQXA298PB…&
code=AwABAAAAvPM1KaP...
code=AwABAAAAvPM1KaP…&
redirect_uri=www.myapp.com:9000
Application User
(client, device)
Phishing Evolution: OAuth 2.0 illicit consent grants
+cloud app authorization protocol
1. Malicious registered application
Oauth tokens 2. Get user consent for wide
{ "access_token": "ya29.a0ARrdaM9...",
6
"refresh_token": "1//06S3lSKyEHY…", scopes / permissions
"scope": "https://www.googleapis...",
Azure AD Google Identity
"expires_in": 3599,
"token_type": "Bearer"
3 Authenticate and Authorize
GET https://accounts.google.com/o/oauth2/v2/auth?
}
Identity Platform client_id=32555940559.apps.googleusercontent.com&
response_type=code&
scope=https://www.googleapis.com/auth/cloud-platform&
Request oauth tokens 5 access_type=offline&redirect_uri=www.myapp.com:9000
POST https://www.googleapis.com/oauth2/v4/token
client_id=32555940559.apps.googleusercontent....& (authenticate, MFA, consent to scopes)
scope=https://www.googleapis.com/auth/cloud...& 4 Redirect URL with Authorization Code
GET http://www.myapp.com:9000?
client_secret=JqQXA298PB…&
code=AwABAAAAvPM1KaP...
code=AwABAAAAvPM1KaP…&
redirect_uri=www.myapp.com:9000
Application User
(client, device)
Phishing Evolution: OAuth 2.0 illicit consent grants[1]
+cloud app authorization protocol
[2] 1. Malicious registered application
2. Get user consent for wide
scopes / permissions
Controls
1. Prevent users from
registering apps in AD
2. Prevent users from
consenting
[1] https://www.bleepingcomputer.com/news/security/phishing-attack-hijacks-office-365-accounts-using-oauth-apps/
[2] https://docs.microsoft.com/en-us/azure/active-directory/develop/application-consent-experience
Phishing Evolution: OAuth 2.0 device code authorization[1]
what's the purpose? to provide easier authentication/authorization on limited input devices e.g. smart
TVs
[1] https://datatracker.ietf.org/doc/html/rfc8628
“I think there's an RFC for that.”
which, when implemented, looks something like this on your TV
with the real sign-in on a computer or mobile phone
Unusability is the father of insecurity
Phishing Evolution: OAuth 2.0 device code authorization[1]
+cloud app authorization protocol
1 Login
Device User
(client, app) [1] https://datatracker.ietf.org/doc/html/rfc8628
Demo: OAuth 2.0 device code authorization
User/device codes
3 device_code 7 5 Authenticate and Authorize
1. Goes to www.google.com/device
{ "device_code": "AH-1NgM6boio...",
"verification_url":
6 Oauth tokens 2. Enters: ZLGG-LOSP
{ "access_token": "ya29.a0ARrdaM9...", 3. Authenticates, including MFA
"https://www.google.com/device", "refresh_token": "1//06S3lSKyEHY…",
"user_code": "ZLGG-LQSP", }
"expires_in": 1800,
"interval": 5 4 User code, verification URL
} manual instructions:
"1. Go to www.google.com/device
2. Enter: ZLGG-LOSP"
1 Login
Device User
(client, app)
Phishing Evolution: OAuth 2.0 device code authorization
+cloud app authorization protocol microsoft phish
Get user/device codes
POST
https://login.microsoftonline.com/comm
2
on/oauth2/devicecode?api-version=1.0
client_id=d3590ed6-52b3-4102-aeff-
aad2292ab01c&
resource=https://outlook.office365.com
Azure AD Google Identity
Poll for
oauth tokens Identity Platform
client_id
User/device codes
3 device_code 7 5 Authenticate and Authorize
1. Goes to www.google.com/device
{ "device_code": "AH-1NgM6boio...",
"verification_url":
6 Oauth tokens 2. Enters: ZLGG-LOSP
{ "access_token": "ya29.a0ARrdaM9...", 3. Authenticates, including MFA
"https://www.google.com/device", "refresh_token": "1//06S3lSKyEHY…",
"user_code": "ZLGG-LQSP", }
"expires_in": 1800,
"interval": 5 4 Phish
} "Here's your promotional product code:
1. Go to www.google.com/device
2. Enter: ZLGG-LOSP"
Device
XX 1 Login
User
(client, app)
Phishing Evolution: OAuth 2.0 device code authorization
+cloud app authorization protocol microsoft phish
Device
(client, app)
Phishing Evolution: OAuth 2.0 device code authorization
+cloud app authorization protocol microsoft phish
Get user/device codes
POST
https://login.microsoftonline.com/comm
2 1. No server infrastructure
on/oauth2/devicecode?api-version=1.0
client_id=d3590ed6-52b3-4102-aeff-
2. No registered application, use
aad2292ab01c&
resource=https://outlook.office365.com
existing vendor client app
Azure AD Google Identity
Poll for
3. No consent screen
oauth tokens Identity Platform
client_id
User/device codes
3 device_code 7 5 Authenticate and Authorize
1. Goes to www.google.com/device
{ "device_code": "AH-1NgM6boio...",
"verification_url":
6 Oauth tokens 2. Enters: ZLGG-LOSP
{ "access_token": "ya29.a0ARrdaM9...", 3. Authenticates, including MFA
"https://www.google.com/device", "refresh_token": "1//06S3lSKyEHY…",
"user_code": "ZLGG-LQSP", }
"expires_in": 1800,
"interval": 5 4 Phish
} "Here's your promotional product code:
1. Go to www.google.com/device
2. Enter: ZLGG-LOSP"
Device
XX 1 Login
User
(client, app)
Phishing Evolution: OAuth 2.0 device code authorization
+cloud app authorization protocol microsoft phish
Get user/device codes
POST
https://login.microsoftonline.com/comm
2 1. No server infrastructure
on/oauth2/devicecode?api-version=1.0
client_id=d3590ed6-52b3-4102-aeff-
2. No registered application, use
aad2292ab01c&
resource=https://outlook.office365.com
existing vendor client app
Azure AD Google Identity
Poll for
3. No consent screen
oauth tokens Identity Platform 4. Implicit, default scopes
client_id
User/device codes
3 device_code 7 5 Authenticate and Authorize
1. Goes to www.google.com/device
{ "device_code": "AH-1NgM6boio...",
"verification_url":
6 Oauth tokens 2. Enters: ZLGG-LOSP
{ "access_token": "ya29.a0ARrdaM9...", 3. Authenticates, including MFA
"https://www.google.com/device", "refresh_token": "1//06S3lSKyEHY…",
"user_code": "ZLGG-LQSP", }
"expires_in": 1800,
"interval": 5 4 Phish
} "Here's your promotional product code:
1. Go to www.google.com/device
2. Enter: ZLGG-LOSP"
Device
XX 1 Login
User
(client, app)
Phishing Evolution: OAuth 2.0 device code authorization
+cloud app authorization protocol microsoft phish
1. No server infrastructure
2. No registered application, use
existing vendor client app
3. No consent screen
4. Implicit, default scopes
5. Move laterally to other services
6. Logging limited (initial token
logged as sign-in, but lateral
move is not)
Phishing Evolution: OAuth 2.0 device code authorization
+cloud app authorization protocol microsoft phish
1. No server infrastructure
2. No registered application, use
existing vendor client app
3. No consent screen
4. Implicit, default scopes
5. Move laterally to other services
6. Logging limited (initial token
logged as sign-in, but lateral
move is not)
Phishing Evolution: OAuth 2.0 device code authorization
controls microsoft phish
1. Prevent: block verification URIs, use conditional access policies 1. No server infrastructure
● https://oauth2.googleapis.com/device/code 2. No registered application, use
● https://microsoft.com/devicelogin existing vendor client app
● https://login.microsoftonline.com/common/oauth2/deviceauth 3. No consent screen
● block access based on IP, location, endpoint characteristics 4. Implicit, default scopes
2. Detect 5. Move laterally to other services
● Difficult 6. Logging limited (initial token
3. Remediate logged as sign-in, but lateral
● API to revoke all oauth tokens for a user move is not)
Phishing Evolution: OAuth 2.0 device code authorization
controls microsoft phish
1. Prevent: block verification URIs, use conditional access policies 1. No server infrastructure
● https://oauth2.googleapis.com/device/code 2. No registered application, use
● https://microsoft.com/devicelogin existing vendor client app
● https://login.microsoftonline.com/common/oauth2/deviceauth 3. No consent screen
● block access based on IP, location, endpoint characteristics 4. Implicit, default scopes
2. Detect 5. Move laterally to other services
● Difficult 6. Logging limited (initial token
2. Remediate logged as sign-in, but lateral
● API to revoke all oauth tokens for a user move is not)
practical considerations
Application None needed, can use large # of existing Some limited vendor apps e.g. Chrome
registration apps
Scopes Implicit, default scopes, wide-range Very limited (user profile, drive access to
app files, youtube info)
Lateral movement Easy to switch among large number of No: strict limited scopes for device code flow
services
[1] https://datatracker.ietf.org/doc/html/rfc6749#page-23
[2] https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent
[3] https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent
[4] https://gist.github.com/arirubinstein/fd5453537436a8757266f908c3e41538
[5] https://duo.com/blog/beyond-the-vulnerabilities-of-the-application-specific-password-exploiting-google-chrome-s-oauth2-tokens
Thank you
Questions
Contact
● [email protected]
● @jenkohwong
References
1.0 Evolving Phishing Attacks
1.1 A Big Catch: Cloud Phishing from Google App Engine and Azure App Service: https://www.netskope.com/blog/a-big-catch-cloud-phishing-from-google-app-engine-and-azure-
app-service
1.2 Microsoft Seizes Malicious Domains Used in Mass Office 365 Attacks: https://threatpost.com/microsoft-seizes-domains-office-365-phishing-scam/157261/
1.3 Phishing Attack Hijacks Office 365 Accounts Using OAuth Apps: https://www.bleepingcomputer.com/news/security/phishing-attack-hijacks-office-365-accounts-using-oauth-apps/
1.4 Office 365 Phishing Attack Leverages Real-Time Active Directory Validation: https://threatpost.com/office-365-phishing-attack-leverages-real-time-active-directory-validation/
159188/
1.5 Demonstration - Illicit Consent Grant Attack in Azure AD: https://www.nixu.com/blog/demonstration-illicit-consent-grant-attack-azure-ad-office-365
https://securecloud.blog/2018/10/02/demonstration-illicit-consent-grant-attack-in-azure-ad-office-365/
1.6 Detection and Mitigation of Illicit Consent Grant Attacks in Azure AD: https://www.cloud-architekt.net/detection-and-mitigation-consent-grant-attacks-azuread/
1.7 HelSec Azure AD write-up: Phishing on Steroids with Azure AD Consent Extractor: https://securecloud.blog/2019/12/17/helsec-azure-ad-write-up-phishing-on-steroids-with-azure-
ad-consent-extractor/
1.8 Pawn Storm Abuses OAuth In Social Engineering Attack: https://www.trendmicro.com/en_us/research/17/d/pawn-storm-abuses-open-authentication-advanced-social-
engineering-attacks.html