InfoSec Write-ups – Medium–
Internet Bank Account Takeover of +1M users — Real Scenario
OAuth is an open protocol to allow authorization in a simple and standard method from web, mobile and desktop applications. OAuth is an open standard for access delegation, commonly used as a way for Internet users to grant websites or applications access to their information on other websites but without giving them the passwords. This mechanism is used by companies such as Amazon, Google, Facebook, Microsoft, and Twitter to permit the users to share information about their accounts with third party applications or websites. [Wikipedia]
OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol. It allows Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner. OpenID Connect allows clients of all types, including Web-based, mobile, and JavaScript clients, to request and receive information about authenticated sessions and end-users. [https://openid.net/]
One of the famous online banking applications is using OAuth 2.0 protocol and OpenID Connect 1.0 for authentication and authorization users. Let me explain the Scenario.
The bank authorization server accepts an authentication request that includes parameters that are defined by both the OAuth 2.0 and OpenID Connect 1.0 specifications. You must enter your credentials that contains both username/national ID and password to log in your internet banking account.
If you have already been identified and registered in the bank, you can log in to your account with username/national ID and password.
In the next, I click on “Forgot your password?” button. In this step, the user must enter her/his national ID and mobile number to change the password, also to confirm the entered information, an OTP code is sent to the user’s phone number.
Then, I entered my identity information and got this error message: “mobile and username are not matched”. The reason is that my mobile number does not exist in database and I was not registered with this mobile number.
The request is as following:
and the response is:
OMG! When I clicked the login button again, the status code changed to 302 and successfully logged in to my internet bank account! What’s happened?
The request is as following:
The response is:
And the next request and response is as following:
And finally, I logged in to my internet bank account.
The request is:
The response is:
I used a national ID database and wrote a handy exploit to hack +1M accounts. In the figure 1 through 3, you can see some accounts that been hacked.
Ok. What is the cause of this vulnerability?
Improper implementation of the OAuth protocol is the reason of this security breach. in this case, developer assign an access token to the user account before an OTP is sent to the phone number to verify it. If the victim’s national ID is in the database, it will be authenticated by OpenID and the user is redirected back to the application with an access token in the URL fragment. this is the Implicit Grant Type of OAuth!
NB: This vulnerability has been already patched and this writeup has been prepared for study and learning purposes only.
NB: Based on our agreement I do not mention target bank name.
Internet Bank Account Takeover of +1M users — Real Scenario was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.
Hacker's Directory 