Exploring Frans Rosén’s bypass of OAuth security

Hijacking a random user’s account can be a dream goal of many malicious hackers. This can occur through traditional methods of data leaks and brute force passwords, but with additional security measures more commonplace, such as 2FA or OAuth, it (hopefully) is becoming harder to simply guess and check.

An attacker’s ideal exploit is something called a zero-click. This occurs when attackers figure out some exploit in which they can send some form of communication (sms, email, etc. depending on the exploit), and with zero interaction with the malicious content by the user, the attacker can compromise a victim’s device, account, etc. When these exploits are discovered, they usually make the news.

The second best an attacker can do is a one-click exploit. This is like a zero-click, but it requires a minimal interaction (i.e one click) from the victim for the attacker to take over. These are clearly extremely dangerous as well, and security researcher Frans Rosén figured out a way to perform such an attack on any user using Apple sign-in on Reddit, resulting in a $10,000 bounty.

I will be going over Frans Rosén’s technical blog post “Account hijacking using “dirty dancing” in sign-in OAuth-flows” and his HackerOne report receiving a $10,000 bug bounty from Reddit. All techniques referenced in this article will originate from Rosen’s work, and those two reports will contain a full technical analysis. Note that this took a long time to discover and was not an easy find.

Many popular sites, such as Amazon, Google, and Apple, provide OAuth services to allow users to sign into other sites, such as Reddit. When implemented correctly, the OAuth can be a great way to perform secure authorization. However, like anything, even a small error can allow for a bypass of authentication and lead to account takeover.

As Rosén calls it, a “happy OAuth-dance” typically follows the format of the above image. Some form of token or code is issued to a validated user, and then the validation is performed, which consumes the resources. Once the resources are used, they cannot be used again. In one of the ways the handling of the tokens occurs, which is called response_mode=fragment, the tokens are actually put in the href through the use of fragments.

Rosén was also extremely interested and has developed tools to track the use of window.postMessage(), which allows for cross-origin communication. He theorized that it was maybe possible to turn the “happy” dance into a “dirty” dance, where the OAuth process entered a state where the issued tokens are still available to use but still available through the URL and then leaked through the postMessage().

Rosén’s was able to build a working one-click account hijacking on Reddit users using the Apple sign-in. The first step is to go through the valid Apple sign-in process to get a valid state for the attacker, which is used to verify the user making the request. Once the attacker has this, using Rosén’s example, the attacker would be able to prepare a malicious page that includes an iframe of www.redditmedia.com , which allows for communication through the URL. This iframe would create a link for the user to login with the Apple sign-in process for Reddit with the attacker state loaded. This iframe also calls on the OAuth with a specific response_type and response_mode , which Reddit didn’t prevent, to force the OAuth verification process to leak the tokens in the fragment of the URL. Once the victim logs in, the URL becomes https://reddit.com/#state=xxx&code=xxx&access_token=xx, which the attacker can access through the iframe using XSS since they have the same domain. Once the tokens have been stolen, the attacker can log in as the victim! Note: Looking at this report as well as previous reports, Reddit’s team appears to be very responsive, happy to work to fix these bugs, and aims for full-disclosure, so kudos to their team as well.

That is a basic summary of how Rosén’s exploit works! However, I am extremely simplifying and omitting much of the detail on how exactly Rosén was able to create this OAuth hijack. I extremely encourage everyone who is interested to go to his blog post “Account hijacking using “dirty dancing” in sign-in OAuth-flows” and his HackerOne report to fully read about all the interesting technical nuances and reasons why this works. It is truly fascinating.

Incredible work again by Frank Rosén, and congrats on your $10,000 bounty. Thanks for reading through and please leave any constructive feedback, suggestions, or questions below! If you enjoyed, please consider following me on Medium or buying me a coffee. Contact me at [email protected], follow me on twitter, and connect with me on LinkedIn!