The New OAuth Flaw That Leaves Over a Billion Mobile Accounts Exposed

Updated on April 30, 2018 by UpGuard

Your website's perimeter security couldn't be any better: sitewide SSL and DMARC/DNSSEC are enabled, software versions aren't being leaked in your headers, and all other resilience checks are green. But how secure is your mobile app? Unfortunately, like most companies, you've outsourced mobile app development to a third-party agency and have little visibility into their security practices. And if your app supports Facebook and Google sign-ons, you may be in trouble: a security team recently discovered an OAuth 2.0 flaw that's already left over a billion apps exposed. 

OAuth is a popular, open authentication protocol that allows users to grant applications permission to act on their behalf without having to share passwords. This enables third-party services like Facebook and Google to access the user's account information using OAuth as an intermediary.

Free eBooks on DevOps and Security

The authentication protocol is most commonly implemented in websites and mobile apps that allow users to easily sign up for services with their existing Facebook, Google, or other third-party social media accounts. Unfortunately, faulty implementations of the OAuth 2.0 protocol could lead to information from the ID provider not being validated (e.g. signatures, user ID/OAuth token bindings). A cyber attacker could then log in using their own credentials and swap user IDs with victims, gaining access to the users' personal data.

The discovery was announced by security researchers last week at Black Hat EU 2016, who went on to reveal that that out of the 600 top U.S. and Chinese Android mobile apps that use OAuth 2.0 APIs from Facebook, Google, and Sina (Weibo), 41.2 percent were vulnerable to the exploit. Names were not disclosed for obvious reasons, but the list included a myriad of popular app offerings that have been downloaded hundreds of millions of times: dating, chat, shopping, hotel booking, finance, music, travel, news apps, and more.

The OAuth 2.0 exploit allows cyber attackers to use these apps to place phone calls, make purchases, and carry out other malicious activities. OAuth exploits are not new, but the scale of this particular vulnerability's impact is unprecedented: because the apps tested had been downloaded more than 2.4 billion times, over one billion app instances are potentially at risk.

Reining in Third-Party Developer Risk

Security incidents involving third-parties are on the rise—just last month, the Australian Red Cross Blood Service suffered a data breach due to its web development agency's flub; Experian/T-Mobile, the BBC, and numerous other have also suffered at the hands of third-party data negligence. To safely integrate a web and/or mobile offering into your ecosystem, you should first evaluate what impact it could have on your cyber risk posture. Since most mobile apps are not developed in-house, this means evaluating third-party vendors for security fitness and cyber resilience.

UpGuard was designed to help you quantify and validate your organization's resilience in the presence of internal and externals risks. The platform not only validates your software delivery pipeline for quality/security and monitors your entire environment for vulnerabilities, its CSTAR rating system lets you know which third-party vendors are introducing exceedingly high levels of risk to your ecosystem. Get a comprehensive, pane-of-glass view into the state of your entire infrastructure today—it's free for up to 10 nodes.