How Hackers Abuse OAuth

OAuth (Open Authorization) is a widely adopted open-standard authentication and authorization protocol that eliminates the need for applications to directly handle user login credentials. OAuth, developed by a group of contributors known as the OAuth community, led by individuals such as Blaine Cook, Chris Messina, Larry Halff, and others, is a cornerstone protocol in modern identity management, revolutionizing the way enterprises access their resources. The initial OAuth specification, OAuth 1.0, was released in December 2007. Since then, it has undergone several revisions and improvements, leading to the development of OAuth 2.0, which is the widely adopted version used today.

OAuth was initially devised as an authorization framework for enabling third-party applications to access user data without exposing credentials. However, OAuth has swiftly evolved into a vital tool for enterprise IT operations to facilitate secure access to a wide variety of resources and services. Alongside its myriad benefits, OAuth has also attracted the attention of attackers, who exploit its features and vulnerabilities to compromise user accounts and infiltrate organizational systems. 

In this article, we shed light on the evolving tactics employed by attackers to exploit this fundamental protocol.

How Attackers Are Abusing OAuth

Attackers have been found to abuse OAuth to achieve various goals as part of the cyberattack lifecycle. Here are 3 ways that attacks have been found to abuse OAuth to conduct various types of cyber attacks.

1. Phishing Attacks Via OAuth

Phishing attacks are a very common way that cyber attacks start, and documented by IBM Security X-Force as the most common method attackers use to gain initial access.

OAuth phishing attacks can use several different techniques to trick users into providing either access to a malicious application, or directly enter their credentials into a malicious spoofed OAuth form. 

OAuth Consent Phishing

OAuth consent phishing are attacks that trick users into granting permissions to malicious apps that can access their account data, cloud services and perform actions on their behalf. Instead of targeting compromised credentials, consent phishing targets users capable of directly authorizing access to their personal cloud applications, or organizational data and services. 

To protect against OAuth Consent Phishing, organizations should optimally configure their cloud service settings to only allow trusted applications meeting specific criteria (also known as "accept listing"). Proactive application governance policies can also be established to monitor third-party application behavior on the Microsoft 365 platform and Google Cloud. 

Administrators also need to monitor all accounts for OAuth apps displaying suspicious behavior and disable any unwanted or malicious apps. Organizations who are suspicious of a breach should seek to reduce dwell time by investigating application activity logs, trigger internal breach investigation policies, and verify that best practices for hardening against consent phishing attacks are being applied.

2. Using OAuth To Bypass Content Filters

Another powerful way that attackers are abusing OAuth is to bypass firewalls and content filters, allowing them to covertly conduct latter stages of their cyber attacks; namely to import malware onto a device they have gained initial access to. Since OAuth is used by many enterprise organizations, firewall rules and content filters are often configured to allow OAuth content to pass through the network unchecked. 

However, attackers can use this blind trust to their advantage. Attackers can easily create their own OAuth cloud accounts with the same providers used by the target organization. For example, if an organization uses Google Workspace or Google Cloud services, an attacker can register for similar services using their own domain making it hard to distinguish between Internet requests that are accessing an organization's own cloud service accounts from the attacker's. Once the attacker can bypass network security controls, they can leverage their own cloud service accounts such as Email, Cloud drive storage, or remote database queries to import malware payloads and execute them. 

3. Using OAuth For Cryptomining 

In a recent blog post, Microsoft highlighted the alarming trend of threat actors using compromised OAuth accounts for financial gain. In this scenario, the attacker is using stolen credentials, password-spraying, or credential stuffing attacks to gain unauthorized access to an organization's own cloud service accounts.

The attack process goes like this:

1. Attackers gain unauthorized access to an OAuth account via stolen credentials using attacks such as the one described above "Phishing Attacks Via OAuth" or by other means. 

2. If the stolen account has high level privileges, attackers create additional rouge accounts to maintain persistence if their activity is discovered at a later time.

3. Attackers provision cloud resources using the compromised accounts and install cryptomining malware, for financial gain.

Microsoft Threat Intelligence experts have found that attackers primarily concentrate on user accounts lacking robust authentication measures, such as multi-factor authentication. These attacks typically involve phishing to gain stolen credentials, targeting users who are likely to own accounts with authority to create or modify OAuth applications. Also, since Bitcoin has seen a price resurgence in late 2023, this type of attack will be increasingly more attractive to attackers. 

Conclusion

Attackers exploit OAuth to execute a wide array of attacks for both direct financial gain such as in cryptomining or to exploit an organization's network defenses. Attacks to exploit an organization's own OAuth protected resources may include phishing attacks or stolen credentials.  Attackers also use OAuth as a tool in their exploit chain to bypass content filters.

Overall, understanding how OAuth works on the fundamental level as authentication and authorization protocol, often for public cloud-based resources, is important for effectively implementing best practices to defend against all forms of attacks including consent phishing, password spraying, credential stuffing, and firewall/IDS bypass techniques.

Looking for more cybersecurity updates and news? Sign up for our informational zero-spam newsletter.