It is a standard created to offer simpler ways of accessing certain sites, which takes advantage of the credentials already stored on other services.
However, cybercriminals are able and will increasingly be able to exploit the abuse of OAuth to carry out increasingly sophisticated cyber attacks, going beyond the classic phishing, up to brute force attacks or token thefts.
How OAuth works
In practice, thanks to this authentication framework, a user can authenticate using the credentials already stored on another application (think of the possibility that many sites offer to authenticate with Facebook credentials, for example). Token-based authentication ensures the user connection until the validity of the token itself, which contains the user's data, i.e. his access credentials. This avoids the continuous sending of long-term credentials in favor of temporary authentication permissions.
Born to allow access to specific data defined by the user, this standard has seen further developments over time, being today at version 2.0, and evolving to allow authentication services. There are three parties involved in the flow of information: the website or application that requests access to the data, the user to request access from, and the OAuth service provider, which controls access to the data.
Unfortunately, this framework is not free from vulnerabilities, but on the contrary, it proves to be used by cybercriminals to successfully carry out attacks, based in fact on the abuse of this standard. Among the main problems that this application presents is its high flexibility, which leaves ample design and configuration space, in which unsafe practices can easily fit. In fact, there are no integrated security options, but these depend on the configuration methods and personal implementations.
This means that lack of experience facilitates the error. Furthermore, since different connection methods are possible, some sensitive data can also pass through browsers, thus becoming interceptable by any cyber criminals. Misconfiguration of the OAuth service can also allow attackers to steal access codes or the token itself generated by the application, and thus gain access to data.
Trends for 2023
Experts predict growth in this type of attack. A recent Netskope report reveals that users in organizations have granted access to their data to over 400 third-party applications and that an organization has up to 12,300 data access plugins. That of false third-party applications is in fact one of the scenarios on the rise for the next period, an evolution of the classic phishing via e-mail.