OAuth Security - zisc.ethz.ch · OAuth Challenges @ Google Several hundred scopes, APIs Different...
Transcript of OAuth Security - zisc.ethz.ch · OAuth Challenges @ Google Several hundred scopes, APIs Different...
![Page 1: OAuth Security - zisc.ethz.ch · OAuth Challenges @ Google Several hundred scopes, APIs Different types of data Users with varied understanding of security Enterprises on Google Users](https://reader033.fdocuments.us/reader033/viewer/2022060407/5f0fac4d7e708231d4455261/html5/thumbnails/1.jpg)
Proprietary + Confidential
OAuth Security:Challenges with “Undefined”
Naveen Agarwal & Breno de MedeirosIdentity @ Google
OAuth Security Workshop 2017: ETH Zurich
![Page 2: OAuth Security - zisc.ethz.ch · OAuth Challenges @ Google Several hundred scopes, APIs Different types of data Users with varied understanding of security Enterprises on Google Users](https://reader033.fdocuments.us/reader033/viewer/2022060407/5f0fac4d7e708231d4455261/html5/thumbnails/2.jpg)
OAuth Spec
● Defined protocol
● Undefined:
○ (e.g. Developer registration, Approval Page etc)
![Page 3: OAuth Security - zisc.ethz.ch · OAuth Challenges @ Google Several hundred scopes, APIs Different types of data Users with varied understanding of security Enterprises on Google Users](https://reader033.fdocuments.us/reader033/viewer/2022060407/5f0fac4d7e708231d4455261/html5/thumbnails/3.jpg)
Protocol Challenges
● Already discussed a lot. Not the focus of this talk. e.g.
○ Dynamic registration
○ Safe code/token delivery on devices
○ App Auth
○ Session management
○ Token binding
○ Token revocation
![Page 4: OAuth Security - zisc.ethz.ch · OAuth Challenges @ Google Several hundred scopes, APIs Different types of data Users with varied understanding of security Enterprises on Google Users](https://reader033.fdocuments.us/reader033/viewer/2022060407/5f0fac4d7e708231d4455261/html5/thumbnails/4.jpg)
Challenges with “Undefined”
● Developer registration,
● Approval Page
● Notification
● Usage
● User controls, Revocation
● Admin Controls
![Page 5: OAuth Security - zisc.ethz.ch · OAuth Challenges @ Google Several hundred scopes, APIs Different types of data Users with varied understanding of security Enterprises on Google Users](https://reader033.fdocuments.us/reader033/viewer/2022060407/5f0fac4d7e708231d4455261/html5/thumbnails/5.jpg)
Grant RevokeRegister Usage
Developer creates app
User grants access
Use the token to get data
User revokes token
OAuth Life cycle
![Page 6: OAuth Security - zisc.ethz.ch · OAuth Challenges @ Google Several hundred scopes, APIs Different types of data Users with varied understanding of security Enterprises on Google Users](https://reader033.fdocuments.us/reader033/viewer/2022060407/5f0fac4d7e708231d4455261/html5/thumbnails/6.jpg)
OAuth Challenges @ Google
● Several hundred scopes, APIs
● Different types of data
● Users with varied understanding of security
● Enterprises on Google
○ Users could grant access to malicious apps
○ Enterprise should be able to limit OAuth grants
![Page 7: OAuth Security - zisc.ethz.ch · OAuth Challenges @ Google Several hundred scopes, APIs Different types of data Users with varied understanding of security Enterprises on Google Users](https://reader033.fdocuments.us/reader033/viewer/2022060407/5f0fac4d7e708231d4455261/html5/thumbnails/7.jpg)
The OAuth Phishing attack (What happened?)
![Page 8: OAuth Security - zisc.ethz.ch · OAuth Challenges @ Google Several hundred scopes, APIs Different types of data Users with varied understanding of security Enterprises on Google Users](https://reader033.fdocuments.us/reader033/viewer/2022060407/5f0fac4d7e708231d4455261/html5/thumbnails/8.jpg)
Proprietary + Confidential
Developer Registration
![Page 9: OAuth Security - zisc.ethz.ch · OAuth Challenges @ Google Several hundred scopes, APIs Different types of data Users with varied understanding of security Enterprises on Google Users](https://reader033.fdocuments.us/reader033/viewer/2022060407/5f0fac4d7e708231d4455261/html5/thumbnails/9.jpg)
What is required for developer registration?
● Different info for different platforms (Web, Android, iOS, Windows)● Developer Information
○ Domain ownership & verification (introduces friction)● App Information (Logo, Name etc.)
○ What can be verified?● Scopes
○ Part of the request or at registration● Justification for the data?● Privacy policy/ToS
![Page 10: OAuth Security - zisc.ethz.ch · OAuth Challenges @ Google Several hundred scopes, APIs Different types of data Users with varied understanding of security Enterprises on Google Users](https://reader033.fdocuments.us/reader033/viewer/2022060407/5f0fac4d7e708231d4455261/html5/thumbnails/10.jpg)
Future
● More verification
● Justification required for sensitive data
● Manual review required
○ If exceeding certain threshold of users
● Learnings from Manual reviews
![Page 11: OAuth Security - zisc.ethz.ch · OAuth Challenges @ Google Several hundred scopes, APIs Different types of data Users with varied understanding of security Enterprises on Google Users](https://reader033.fdocuments.us/reader033/viewer/2022060407/5f0fac4d7e708231d4455261/html5/thumbnails/11.jpg)
Proprietary + Confidential
Consent Page/Grant
![Page 12: OAuth Security - zisc.ethz.ch · OAuth Challenges @ Google Several hundred scopes, APIs Different types of data Users with varied understanding of security Enterprises on Google Users](https://reader033.fdocuments.us/reader033/viewer/2022060407/5f0fac4d7e708231d4455261/html5/thumbnails/12.jpg)
Approval page
● What metrics should you optimize?
○ Approval rate?
● Amount of info/data/txt on the page
○ Most users don’t read
● Controls on the page?
● Do users understand?
● Design -> Study -> Launch -> Data -> Repeat
![Page 13: OAuth Security - zisc.ethz.ch · OAuth Challenges @ Google Several hundred scopes, APIs Different types of data Users with varied understanding of security Enterprises on Google Users](https://reader033.fdocuments.us/reader033/viewer/2022060407/5f0fac4d7e708231d4455261/html5/thumbnails/13.jpg)
![Page 14: OAuth Security - zisc.ethz.ch · OAuth Challenges @ Google Several hundred scopes, APIs Different types of data Users with varied understanding of security Enterprises on Google Users](https://reader033.fdocuments.us/reader033/viewer/2022060407/5f0fac4d7e708231d4455261/html5/thumbnails/14.jpg)
![Page 15: OAuth Security - zisc.ethz.ch · OAuth Challenges @ Google Several hundred scopes, APIs Different types of data Users with varied understanding of security Enterprises on Google Users](https://reader033.fdocuments.us/reader033/viewer/2022060407/5f0fac4d7e708231d4455261/html5/thumbnails/15.jpg)
![Page 17: OAuth Security - zisc.ethz.ch · OAuth Challenges @ Google Several hundred scopes, APIs Different types of data Users with varied understanding of security Enterprises on Google Users](https://reader033.fdocuments.us/reader033/viewer/2022060407/5f0fac4d7e708231d4455261/html5/thumbnails/17.jpg)
![Page 18: OAuth Security - zisc.ethz.ch · OAuth Challenges @ Google Several hundred scopes, APIs Different types of data Users with varied understanding of security Enterprises on Google Users](https://reader033.fdocuments.us/reader033/viewer/2022060407/5f0fac4d7e708231d4455261/html5/thumbnails/18.jpg)
Grant confusion
Files on my device?
Manage? Oh, I see, delete. Why does it want all these things?
Will it still work if I say no?
App, like app on my phone?
It says Google, so it’s safe.
Verified? Great, it won’t spam me.
![Page 19: OAuth Security - zisc.ethz.ch · OAuth Challenges @ Google Several hundred scopes, APIs Different types of data Users with varied understanding of security Enterprises on Google Users](https://reader033.fdocuments.us/reader033/viewer/2022060407/5f0fac4d7e708231d4455261/html5/thumbnails/19.jpg)
Future
● Give user more guidance
○ Based on various signals
● Differentiated consent page
○ Account chip for just “sign-in”
○ Risk based e.g. Danger, warning, normal
● Quota/Limits
![Page 20: OAuth Security - zisc.ethz.ch · OAuth Challenges @ Google Several hundred scopes, APIs Different types of data Users with varied understanding of security Enterprises on Google Users](https://reader033.fdocuments.us/reader033/viewer/2022060407/5f0fac4d7e708231d4455261/html5/thumbnails/20.jpg)
Proprietary + Confidential
User Notification
![Page 21: OAuth Security - zisc.ethz.ch · OAuth Challenges @ Google Several hundred scopes, APIs Different types of data Users with varied understanding of security Enterprises on Google Users](https://reader033.fdocuments.us/reader033/viewer/2022060407/5f0fac4d7e708231d4455261/html5/thumbnails/21.jpg)
Notify user
● Mitigation for hijacked user
● Sensitive data approval reminder
![Page 22: OAuth Security - zisc.ethz.ch · OAuth Challenges @ Google Several hundred scopes, APIs Different types of data Users with varied understanding of security Enterprises on Google Users](https://reader033.fdocuments.us/reader033/viewer/2022060407/5f0fac4d7e708231d4455261/html5/thumbnails/22.jpg)
Proprietary + Confidential
Usage of token
![Page 23: OAuth Security - zisc.ethz.ch · OAuth Challenges @ Google Several hundred scopes, APIs Different types of data Users with varied understanding of security Enterprises on Google Users](https://reader033.fdocuments.us/reader033/viewer/2022060407/5f0fac4d7e708231d4455261/html5/thumbnails/23.jpg)
Token Usage
● What does the app actually do?
● Is the developer compromised?
● Monitor for abnormal behavior
![Page 24: OAuth Security - zisc.ethz.ch · OAuth Challenges @ Google Several hundred scopes, APIs Different types of data Users with varied understanding of security Enterprises on Google Users](https://reader033.fdocuments.us/reader033/viewer/2022060407/5f0fac4d7e708231d4455261/html5/thumbnails/24.jpg)
Proprietary + Confidential
Revocation
![Page 25: OAuth Security - zisc.ethz.ch · OAuth Challenges @ Google Several hundred scopes, APIs Different types of data Users with varied understanding of security Enterprises on Google Users](https://reader033.fdocuments.us/reader033/viewer/2022060407/5f0fac4d7e708231d4455261/html5/thumbnails/25.jpg)
Token revocation
● Remove inactive apps
● Discovery of token revocation page
● Give more info
○ App activity
● Highlight risky apps
● Guide the user with decision
![Page 26: OAuth Security - zisc.ethz.ch · OAuth Challenges @ Google Several hundred scopes, APIs Different types of data Users with varied understanding of security Enterprises on Google Users](https://reader033.fdocuments.us/reader033/viewer/2022060407/5f0fac4d7e708231d4455261/html5/thumbnails/26.jpg)
Proprietary + Confidential
Admin Controls
![Page 27: OAuth Security - zisc.ethz.ch · OAuth Challenges @ Google Several hundred scopes, APIs Different types of data Users with varied understanding of security Enterprises on Google Users](https://reader033.fdocuments.us/reader033/viewer/2022060407/5f0fac4d7e708231d4455261/html5/thumbnails/27.jpg)
Give G Suite admins more controls
● Recent Launch
![Page 28: OAuth Security - zisc.ethz.ch · OAuth Challenges @ Google Several hundred scopes, APIs Different types of data Users with varied understanding of security Enterprises on Google Users](https://reader033.fdocuments.us/reader033/viewer/2022060407/5f0fac4d7e708231d4455261/html5/thumbnails/28.jpg)
Summary
● OAuth Abuse has arrived
● Verify info about the app and developer
● Guide user through the consent process
● Notify user
● Monitor activity
● Enforce Limits/Quotas
● Give users information and controls on revocation
● Build admin controls
![Page 29: OAuth Security - zisc.ethz.ch · OAuth Challenges @ Google Several hundred scopes, APIs Different types of data Users with varied understanding of security Enterprises on Google Users](https://reader033.fdocuments.us/reader033/viewer/2022060407/5f0fac4d7e708231d4455261/html5/thumbnails/29.jpg)
Questions?
https://plus.google.com/+NaveenAgarwal