Proofpoint announced that it has discovered a previously unknown set of methods to launch URL redirection attacks against vulnerable OAuth 2.0 implementations.
Third-party cloud applications use OAuth2.0 to gain limited access to protected user resources on major platforms such as Microsoft 365 and Google Workspace. OAuth 2.0 is used to gain limited access to protected user resources on major platforms such as Microsoft 365 and Google Workspace.
Proofpoint researchers began detecting these redirection attacks against Microsoft 365 environments in February 2020.
This attack can lead to phishing detection and evasion of email security solutions, as well as legitimate spoofing of phishing URLs and attacks,
Proofpoint detected groups targeting Outlook Web Access, PayPal, Microsoft 365, and Google Workspace.
How the attack works
OAuth 2.0 is a widely adopted authentication protocol that enables web and desktop applications to access resources managed by the end user, such as email, contacts, profile information, and social accounts.
This authentication feature allows a user to grant access to a specific application, which creates an access token that other sites can use to access the user’s resources.
When developing an OAuth application, developers are free to choose different types of flows according to their needs
In these flows, the app developer needs to define certain parameters such as unique client ID, scope, and redirect URL to be opened after successful authentication.
Proofpoint found, however, that a malicious OAuth app registered by an attacker modifying some of the parameters of a valid authentication flow could trigger the victim to be redirected to a site or redirection URL provided by the attacker.
This occurs after the victim clicks on a legitimate Microsoft URL, causing the victim to mistakenly believe that the URL is legitimate, even though they are being redirected to a malicious site.
This redirection is caused by modifying the “response_type” query parameter to contain an invalid value, and the victim is directed to a phishing page by Microsoft after authentication.
Also, if you edit the “scope” parameter and cause an “invalid_resource” error.
This attack uses dozens of Microsoft 365 third-party applications with malicious redirection URLs defined
All third-party applications were delivered via a Microsoft URL with a missing response_type query parameter with the goal of redirecting unsuspecting users to a different phishing URL.
The third attack scenario is that the user clicks the “Cancel” button on the consent screen, which triggers a redirect to the malicious application URL.
Proofpoint explains that depending on the OAuth flow selected, such as Azure Portal, it is possible to trigger a redirect before authentication.
By using a modified OAuth URL that causes an error in the authentication flow, a phishing attack can describe a URL that appears legitimate and ultimately redirects to a landing page that attempts to steal login credentials.
Proofpoint has actually seen instances where this bug has been exploited to redirect users to phishing landing pages.
After analyzing the data, we found a large targeted attack using this exploit. The attack uses dozens of Microsoft 365 third party applications with malicious redirect URLs defined.
They have successfully targeted hundreds of tenant users who are Proofpoint customers, and the number is growing daily
Wide range of issues
Other OAuth providers are also affected by the same bug, and can easily create trusted URLs that redirect to malicious sites.
For example, anyone can register an OAuth app on GitHub, including attackers who create apps whose redirect URLs lead to phishing landing pages.
The attacker creates an OAuth URL that contains a redirect URL, but GitHub ignores this and uses the redirect defined by the app. However, to the user, this URL looks legitimate and can be trusted to be clickable.
In the case of Google, it’s even easier: the threat poser can register an OAuth application for sign-in and set a malicious URL in the “redirect_uri” parameter to take the victim there immediately after authentication.
Google has not verified this URL, so it could be anything from a phishing page to a site that plants malware.
The solution
Proofpoint’s report outlines several mitigations for these bugs. The most effective is not to ignore invalid parameters, but to display an error page instead.
Also, a long time before automatic redirection or introducing an extra click to redirect will save many people from being phished.
Phishing attacks targeting unknowing users are the most successful way to steal their credentials and break into their organization’s network. Email protection systems are powerless against these attacks
These attacks exploit the OAuth infrastructure to deliver malicious emails to the target without being detected. Such attacks on PayPal result in the theft of credit card and other financial information. Phishing attacks on Microsoft can lead to fraud and intellectual property theft.
The Internet Engineering Task Force (IETF) has provided additional security recommendations for those deploying OAuth servers for authentication.
Comments