4、研究人员发现OAuth2.0漏洞可致账户被接管
标题:OAuth 2.0 Vulnerability Leads to Account Takeover
作者信息:November 08, 2016 By Ionut Arghire
//BEGIN
A vulnerability in OAuth 2.0 could result in an attacker being able to sign into a victim’s mobile app account and take control of it, security researchers have discovered.
In a recently published research paper (PDF) that was also detailed at the Black Hat Europe security conference, three researchers from the Chinese University of Hong Kong demonstrate the prevalence and severe impact of the vulnerability. According to researchers, 41.21% of the 600 top-ranked Android apps that use the OAuth2.0-based authentication service from Facebook, Google, and Sina, are vulnerable.
来自香港中文大学的3位学者在今年欧洲的黑帽大会上展示了一种基于OAuth2.0的认证漏洞来入侵手机的方法,根据三位研究者发布的论文表明采用OAuth2.0认证服务机制的排名前600位的Android应用中的超过4层的应用APP可能被攻击,这些流行的APP包括耳熟能详的Facebook,Google以及Sina微博等。
//END
“After signing into the victim’s vulnerable mobile app account using our exploit, the attacker will have, in many cases, full access to the victim’s sensitive and private information which is hosted by the backend server(s) of the vulnerable mobile app. For some of these mobile applications, the online-currency/ service credits associated with the victim’s account are also at the disposal of the attacker,” the researchers say.
The researchers suggest that IdPs should provide 3rd-party application developers with clearer and more security-focused usage guidelines for their OAuth 2.0-based SSO APIs. Backend server of a mobile app should trust only information exchanged with the IdP server directly; IdPs should issue private user identifier on a per-mobile-app basis; and IdPs should conduct or insist on more thorough security testing of 3rd party mobile apps, the researchers also say.
这三位研究人员表示:一旦成功入侵用户手机的APP应用,那么攻击者就能拿到完全权限并完全控制那个被入侵的手机,进而获取受害者的身份信息和其他类似各种支付信息和支付币,而其实这些信息很多就不是保存在手机中的,而是保存在其后台支撑的后台服务器的。而这里讲的漏洞其实就是假借受害者的手机,从而完成身份认证,进而获取了用户保存在后台服务器的各种敏感信息、甚至钱财。
为了预防类似的攻击成功,研究人员建议提供身份验证提供商IdP应该给第三方的APP开发机构提供更加清晰和更加安全的验证机制,特别是基于OAuth2.0的单点登录SSO的程序开发接口API。
而对于后台的服务器端来说,应该只能信任IdP服务提供的信息,而且这种信息应该以每个APP为基础。
//IdP:major Identity Providers 用户身份ID提供
//SSO:Single-Sign-On 单点登录
//下载:
eu-16-Yang-Signing-Into-Billion-Mobile-Apps-Effortlessly-With-OAuth20-wp.pdf
(373.55 KB, 下载次数: 39)
文件名:eu-16-Yang-Signing-Into-Billion-Mobile-Apps-Effortlessly-With-OAuth20-wp.pdf
文件大小:382,513 bytes
MD5 : 14DCF33490C4714046B17F653EBD8C9B
标题是耸人听闻还是言过其实?Signing into One Billion Mobile App Accounts Effortlessly with OAuth2.0 进入10亿部手机的APP轻松,主要利用OAuth2.0
点评:10亿部手机就有10亿个漏洞....这如之奈何? |