OAuth Attacks Bypass MFA Protection

Whenever a phishing attack hits the headlines, the advice is always the same: train your employees to be suspicious, and use multi-factor authentication (MFA), followed by a mandatory discussion of how passwords aren’t enough to guarantee security anymore. This is generally good advice, but don’t be lulled into a false sense of security: MFA isn’t watertight, and two stories surfaced in May to prove it.

Many online services today have turned their back on repeated password entry, instead u’ing OAuth. This is an authorization mechanism that lets one site interact with another on your behalf, and it’s commonly used to sign into third party websites.

For example, a site supporting Google-based logins offers a ‘sign in with Google’ option that redirects you to Google’s sign-in screen if you’re not already signed into your Google account. It’s a way of enabling you to sign up for a service without filling out a new username and password form.

After you’ve signed into your Google account, the search giant returns you to the third party site with a request token. The third party site then shows that token to Google, which grants it an access token that lets it access the information you’ve authorized it to see in your account (in this case, your email address, to confirm that you’re signing in with your Google account). This token gives the site access to that information for a limited time, at which point you’ll have to repeat the process.

Google allows people to protect their accounts with MFA using its authenticator app, which protects this third party relationship too. Someone trying to sign into the third party site using your Google account would need your phone to complete the sign-in.

It’s possible to use OAuth to get around MFA, though. Anti-phishing company Cofense published a blog post showing how phishers were emailing their targets with links to documents that appeared to show a payment bonus. The link took the victim to a sign-in page using Microsoft’s OAuth-based Microsoft Graph authorization mechanism, but when the user entered their Microsoft account details, the redirect information in the link went to a fraudulent domain hosted in Bulgaria. The request that the fraudulent link made to Microsoft also gives it permission to refresh its token whenever it wants, effectively granting the cyber-criminals behind this scam permanent access to the victim’s Microsoft account.

“The OAuth2 phish is a relevant example of adversary adaptation,” explained Cofense. “Not only is there no need to compromise credentials, but touted security measures such as MFA are also bypassed; it is users themselves who unwittingly approve malicious access to their data.”

Single sign-on company Okta also published a demo showing how a malicious browser extension could be used to intercept the request token granted by a site like Google. The extension could then send the token to the attacker, who could use it to access the third party site. There are some protections to help prevent this kind of attack. Okta recommends Proof Key for Code Exchange (PXCE), an extension to OAuth that checks an additional secret when converting a request token to an access token.

So, MFA can help increase your security level, but it isn’t enough on its own. Scanning for phishing emails and training users continue to be vital components in multi-layered defense against cyber-attackers.

What’s Hot on Infosecurity Magazine?