Part 2: OAuth Exploitation in Action

The first part of this article helped explain what OAuth is and how we are seeing it be used with corporate credentials, and now, I will delve into trends around OAuth abuse.  

MALICIOUS SOCIAL ENGINEERING APPS

We are seeing opportunistic applications use social engineering in highly successful campaigns to entice users to grant access to company email, files and contact lists with just a few clicks. While we're mostly seeing these techniques being abused by SPAM bots, there are some very real implications here around targeted attacks and spear phishing.

Above: Example OAuth application permission request

Applications such as "Friend Connect" (just to be clear, not "Google Friend Connect"), a.k.a. "Flipora" a.k.a. "Infoaxe" (somewhat entertaining feedback) are making an evolution from the traditional approach of malicious applications stealing passwords and contact lists from compromised endpoints to a more nuanced approach of using social engineering to get a user to grant access to data stored in services such as Google for Work, Office 365, Box and Dropbox. We mostly see these applications using the stolen accesses to, you guessed it, send SPAM; but as I later demonstrate, it could be much worse.

Notice how "Friend Connect" redirects to the known malicious / annoying "Flipora" callback URL during the OAuth process

Notice how "Friend Connect" redirects to the known malicious / annoying "Flipora" callback URL during the OAuth process

As shown above, the OAuth scopes requested by the borderline malicious "Friend Connect" application include complete read access to a user's corporate Inbox, sent box, drafts, contact lists and profile information. Currently the app appears to be primarily used to access a user's contact list, and send invites and SPAM to people on that list to continue spreading. The scary part is that with a single click, and never sharing their password users are granting applications such as this complete read access to their corporate email. 

Example "Friend Connect" OAuth requests and scopes as viewed in the Google Admin Console, granted complete read access to Gmail and contact lists

 

WHY IS THIS A BIG DEAL?

Traditional security systems such as firewalls, web security gateways and IDS have nearly no way to monitor or stop the infection or spread of OAuth based SPAM bots or even legitimate applications that you probably don't want to have access to your company's data. Why? Resetting user passwords doesn't help as there aren't passwords that are stolen. AntiVirus and web security gateways can't help because endpoints aren't actually infected and might be connecting from mobile locations. In this case, external applications are using Token access unwittingly granted by users with scopes such as accessing contact lists, and downloading and sending email directly through the cloud provider. IT admins are forced to manually step through the cloud provider interface to investigate and revoke OAuth tokens for each unapproved application and user. (Ouch!)

In addition to applications such as "Friend Connect," there is a second and much larger class of legitimate applications that can be granted very wide access to your company's data by users unwittingly signing in with their credentials and granting access to their email and cloud drives. These applications may access or store data in a way that is not safe or consistent with your company's policy or regulatory needs.

 

FINAL THOUGHTS

Admittedly, SPAM bots are a little different than the more advanced threat topics that we usually focus on, but these applications have hit a soft spot in enterprise security that companies need to be aware of. 

OAuth accesses have serious implications for businesses from a data protection perspectiveeffectively with one click a user can grant complete access to their corporate resources, and corporations need to have measures in place (such as OAuth application white and blacklisting) to be part of their security strategy as they move critical or regulatory-protected assets to the cloud.

What we're concerned about is the fact that technologies such as OAuth that are meant to protect users, by easily allowing them to grant certain accesses to applications without having to provide a password, are being abused by malicious applications in a way that creates a great deal of risk for businesses and requires new education for users. In addition to mass malware and phishing, there are some pretty wide implications around targeted attacks and spear phishing that we'll touch on in a follow-up post.


Post by Alex Watson, Founder, CEO harvest.ai

Former Senior Director of Security Research at Websense. CTO at BTS. Co-Founder of APX Labs. Over 10 years experience in the US Intelligence Community.