OAuth2.0 Protocol Used in Login process of Facebook is vulnerable!

OAuth2.0 is security protocol, which has been used by many social networking websites for user authentication process. Researchers have found two vulnerabilities in this protocol. By performing MITM (Man-in-the-middle) attack hackers can steal credentials of user, due to these flaws.

A couple of vulnerabilities has been found by 3 researchers of Trier University in OAuth2.0 protocol. By Exploiting these vulnerabilities hackers can subvert single sign-on-system. Google+, Facebook and many other sites are using this protocol in user authentication process. Ralf Küsters,Daniel Fett and Guido Schmitz are these three security researchers.

According to the researchers, first flaw is known as HTTP 307 Temporary Redirect. In this flaw IdP (identity providers) will forward credentials of users to attacker which is a RP (Replying Party). These credentials are username and password. In second flaw network hacker can act like actual user by making fool of RP (Replying Party).

In HTTP 307 hackers can steal users credentials by redirecting him to another link. Hackers can learn the user name and password of user when he logs in because IdP will use a wrong status code of HTTP redirection which will be set by hacker.

To fix this flaw, use of only HTTP 303 code in OAuth2.0 is mandatory. It is safe beacuse it do not allow ambiguity.

Using second flaw attackers can attack on Replying Party (RP) website. RP will be confused by attacker in chosing the right IdP during authntication process. RP will not understand which token has been used by request in the starting of authentication process and which is used in the ending stage of process.

Attacker can do this by performing a man-in-the-middle (MITM) attack. Hacker can change the data of user and can make fool of Replying Party. RP thinks that this data has been sent by actual user.

To fix this problem, Identity of IdP is must in OAuth's redirection process. If we want a unique redirection endpoint for every IdP, the information redirected by browser to the Replying Party (RP) should be encoded in the request. By doing this RP will be able to detect all the mismathces in request.

Source: scmagazine.com