OAuth has recently become a proposed standard for web authorization, intended to solve security issues of resource sharing and is being deployed by all major service providers such as Google, Facebook, Twitter, etc.
We performed a security study of one of the world's largest implementations -- Facebook's OAuth 2.0 and in this presentation we will share a technical description of multiple high-impact security issues we uncovered including:
- Data leakage of private Facebook user information
- Theft of OAuth-specific credentials
- Bypassing authentication on third party web-sites
- Performing session fixation attacks
- Converting authorization protocol features into XSS on Facebook.com domains
We will demonstrate how easy it is to break OAuth 2.0 authorization and will show some interesting approaches to exploiting it's protocol weaknesses.
ABOUT ANDREY LABUNETS
Andrey is a student at the Tyumen State University doing his master's thesis on authorization protocols. He is also a bug hunter from academia, author of open source reverse engineering tool Windbgshark, fond of orange juice and tweets as @isciurus. He is currently a software engineer responsible for designing secure user data and trace analysis systems, development and delpoyment of a corporate DLP solution and reverse engineering of third-party software tools. Previously he worked on security & privacy projects as an intern at Russia's Digital Security Research Group and at Microsoft Research
ABOUT EGOR HOMAKOV
Egor Homakov is a web security researcher with a background in ruby/rails programming. His main fields of research are Ruby-ecosystem (for example Github hack and others were intended to make Rails better), authorization techniques (different OAuth hijacking tricks) and defensive security (sandboxing XSS with least privileges). He tweets as @homakov
Uploader: Hack In The Box Security Conference