As companies continue to move their key data to cloud applications such as Google for Work, Office 365, Box and Dropbox, it is important to understand what OAuth is: an authentication feature that with a single click can grant an untrusted application, or even an attacker complete access to a user's corporate email, cloud drive and personal data. In this blog series, we'll discuss what OAuth is, as well as new threat vectors including malicious applications and spear phishing applications that create a new kind of risk for businesses.
WHAT IS OAUTH?
OAuth is an open standard for providing access to accounts and resources that is commonly used as a way for Internet users to allow 3rd party applications access to their information and data in Cloud SAAS providers using their Microsoft, Google, Facebook or Twitter accounts, without exposing their password.
According to IETF RFC 6749, OAuth allows access tokens to be issued to third-party clients by an authorization server, with the approval of the resource owner. The application then uses the access token and scopes granted by the user to access the protected resources. These resources can be: access to profile information, contact lists, the ability to send and download email and files on behalf of the user--all without ever sending over a password!
HOW WE SEE EMPLOYEES USING OAUTH
Our platform, MACIE, keeps track of every OAuth request and we have found some common themes amongst organizations.
• Over 600 external applications granted access to some level of corporate data to date
• 100,000+ external application accesses per day by large organizations
• 21% of those applications have at least read access to a user's cloud drive
• 19% of those applications have read access to the user's email
• 65% have access to the user's contact list
Above is a screen shot on our harvest.ai internal environment with our product, MACIE Analytics. On a typical enterprise network, we see hundreds of apps and 100,000's of connections per day. We try to make it as simple as possible for companies to understand and build policies around what types of apps get to access what kinds of data.
When considering that 65% of 600+ applications have access to a user’s contact list, that could open opportunities for malicious actors to move laterally across their target with social engineering (We cover this in more detail in part 2 of this article.). Social engineering doesn't seem so bad when you put into context the 21% of applications that have read access to a user’s cloud drive, a major security vulnerability if a threat actor gains access to these applications.
MACIE MANAGES OAUTH
Vetting the sheer amount of Oauth applications (over 600 different applications we have seen to date) for legitimacy and having the infrastructure to revoke access to the app in real-time is a technical challenge. As there is not currently a way to "blacklist" OAuth applications with most cloud services, we have opted to build a really fast way (within a second) to revoke accesses via policy or blacklist once we are made aware via event streams. Want to see this in action? Check out our blog post on stopping Cryptowall.
How does one determine the legitimacy of an OAuth application? Should employees be allowed to use OAuth when the application requests read access to their cloud? These are some of the many important questions that we at harvest.ai will help your organization understand and create policy around.
Stay tuned for part 2 of this article, where I will dive deeper into OAuth exploitation trends.
Post by Alex Watson, Founder, CEO 405labs
Former Senior Director of Security Research at Websense. CTO at BTS. Co-Founder of APX Labs. Over 10 years experience in the US Intelligence Community.