Oauth 2.0 hack exposes 1 billion mobile apps to account hijacking

I was going to post this last week but thought it wasn’t important enough. After reading the “New Auth Flow” RFC and saw it reference OAuth I figured I’d share it for informational purposes.


EDIT:Comment at the bottom stated:This is no oauth vulnerability,any body that had to deal with oauth implicit flow implementation server side know that he has to validate the user id sent by the client.
Any thing sent from the client should never be trusted

So I’ll just leave it here for the members of this forum to judge.



For information - Steve Gibson’s ‘Security Now!’ podcast from November 8th went into some depth on this topic if anyone’s interested in listening to it. The shownotes transcript is here.

Edit: Oh, I should probably give credit to this comprehensive formal security analysis of OAuth 2.0 and the 95 page technical report!


Yeah, OAuth 2.0 is a very poorly specified protocol. I mean OAuth was conceived not have to expose the user & password, but in version 2.0 of the spec signing in by transferring the username and the password is an explicit feature. What the actual F?

So it does not come as a surprise that those, who actually implemented it have not done a great job. Side note: despite the article claiming so facebook is using their own Auth protocol, which is closer to OAuth1.0 than to 2.0. However, sure, the attack is possible if the server doesn’t actually check the user provided values.

Important: This isn’t effecting us or our new system though. This attack is intersecting the client-server connection with the third-party server during the authentication. In our model, we are more like facebook itself and if anyone used our access token to sign in with your app (wat???) they very likely want to use that token to access the network and that would fail in the described scenario.


I think I read Tumblr refused to switch because they considered it so broken compared to 1.

Years ago, Eran Hammer (“Author of the most hated web standard of all times,” from his Twitter intro) wrote a blog post about it, too:

[…] I reached the conclusion that OAuth 2.0 is a bad protocol. WS-* bad. It is bad enough that I no longer want to be associated with it. It is the biggest professional disappointment of my career.


I’m hoping this wasn’t taken as I was implying the article had anything to do with what the team was doing. I brought it as an FYI to the team. Thanks again to everything you guys are doing! Cheers!