Many of us receive phishing emails from bank saying “Dear
Client, we have to login to your account to verify your credentials. When you
actually login by using your details, it says “unable to login” or some error message,
in background what happens is your credentials has been stolen and this is what
email phishing.
Hackers are exploiting a cloud protocol called OAuth. It’s
not specific to google attack. OAuth or open standard for authorization is a
standardized way for internet accounts to link with 3rd party
applications. It is universally adopted by almost all web-based applications and
platforms – including consumer as well as enterprise applications such as
google Apps, Microsoft office, sales force and many others.
OAuth powers the cloud, enabling the API economy, enhancing
user experience. At the same time in the
wrong hands OAuth can be a weapon and it’s a night mare for IT security teams.
Example, Attacker sets up infrastructure and fake app and
sends a phishing email, victim opens email and clicks the link. Victim is sent
to googles OAuth page for authentication and to grant permissions. Then the
user will be redirected to an attacker-controlled website and prompted to
allow/deny access. On the backend, if user allowed, google provisions an OAuth
token, appends it to redirected url and instructs victims browser to redirect
to attacker’s domain. Now attacker gains access to OAuth token once the user is
redirected to one of the attacker-controlled domains. Attacker uses the granted
privileges (such as email, contacts etc.). Uses this information to access to
send emails from victims account and propagate the worm.
OAuth based attacks bypass all standard security layers. Changing passwords wont address this issue, enabling multi-factor authentication will not mitigate the risk.
Thank you for reading this article.
Comments
Post a Comment