Exploiting OpenID for Account Takeover
Written by Eldar Zavida on
Exploiting OpenID for Account Takeover
Written by Eldar Zavida on
Introduction
While conducting a penetration test on a web application by Clear Gate, a critical finding was discovered, which allowed taking over any user account by exploiting a misconfiguration in the OpenID Connect (OIDC) authentication protocol.
In this article, we are going to discuss the purpose of OpenID as a security mechanism and how we managed to take advantage of one of its misconfigurations. Moreover, we will provide a suitable remediation plan that explains how to avoid such attack vectors.
What is OpenID Connect?
OpenID Connect (OIDC), an open authentication protocol built on top of the OAuth 2.0 framework, simplifies authentication by allowing users to use a single set of credentials across different services. Its focus is on achieving “Single Sign-On” (SSO) functionality facilitated by a third-party Identity Provider (IDP) that verifies the user’s identity. Once authenticated, the same credentials grant access to various OpenID-supported sites, eliminating the need for repetitive logins. Many major platforms, including Google, Microsoft, and Facebook, embrace OIDC, offering developers a standardized method to integrate SSO, ultimately enhancing security and user convenience.
How we Exploited OpenID to Take Over Accounts
During the penetration test, we noticed that the system’s registration mechanism provides the OpenID connect mechanism, along with Google as the identity provider. While performing a registration, sensitive information about the newly created user is returned in the server’s response, including email address, phone number, and, most importantly, our Google account identifier.
Then, we used OSINT (Open-Source Intelligence) tools to find matching Gmail accounts via the available sources online to understand whether the obtained emails were registered to the system using the enumeration process done earlier. By changing the email parameter value in the request demonstrated below to a different email address of an existing Google account in the system, we managed to retrieve their corresponding Google IDs.
While examining the system’s authentication mechanism (which uses OpenID Connect as well) and trying to log in via the Google identity provider, we noticed a significant id parameter passed within the request that represents the connected Google account identifier.
This discovery, and the one found earlier in the registration mechanism, instantly made us change the login request’s id parameter value to the Google ID fetched in the previous enumeration phase.
As a result, we successfully received a valid session token in return, meaning that we managed to gain unauthorized access to the targeted account without adequately completing the OpenID authentication process. This action points out that the system did not implement the OpenID Connect correctly, as it only identified the user based on his Google account ID instead of validating the token received from Google after a successful authentication had been made.
Mitigation
If you have encountered any of the above scenarios, please follow the instructions below provided by Clear Gate for immediate mitigation and to prevent Account takeover attacks further:
- Do not pass the account’s Google ID in the registration and login endpoints. Instead, use the token retrieved from Google during the OpenID authentication to identify the user. Make sure to apply this approach in all other identity providers, such as Facebook, Microsoft, etc.
- Do not return excessive information about the user, such as its Google identifier, full name, and phone number, from the server’s response.
Conclusion
As the use of OpenID in web applications continues to grow, it offers convenience for users by simplifying their authentication across various platforms. However, developers’ poor implementation of this technology opens doors for potential vulnerabilities that can compromise user data and privacy. It is crucial for developers to prioritize robust security measures and adhere to best practices when implementing OpenID to mitigate the risk of such attacks and ensure the safety of their users’ information.
Organizations should prioritize cyber security risk assessments and penetration tests to mitigate risks in OpenID Connect deployments, which have become increasingly popular among companies developing SaaS products. Clear Gate, a trusted cybersecurity provider, offers in-depth manual penetration tests to help organizations strengthen their OpenID Connect security and protect valuable data from potential threats.