PayPal Fixes OAuth Token Leaking Vulnerability

PayPal fastened a topic that can have allowed an attacker to hijack OAuth tokens related to any PayPal OAuth software.
The vulnerability was once publicly disclosed on Monday via Antonio Sanso, a senior device engineer at Adobe, after he got here throughout the problem whilst trying out his personal OAuth shopper. For its phase, PayPal remedied the vulnerability about three weeks in the past.
The OAuth flaw, in keeping with Sanso, stemmed from the token request and acquisition procedure. For starters, PayPal permits builders to create and edit their very own apps via its developer software dashboard. After growing them, builders can sign up the ones apps and acquire an get entry to token for them via sending a request to the corporate, which acts an authorization server. That  PayPal server may well be overridden alternatively, Sanso discovered.
In step with Sanso, the vulnerability stems from an error PayPal made when it applied the OAuth. Builders with the corporate had set it as much as settle for localhost, the usual hostname given to the native laptop a program is working, as redirect_url, the cope with utilized by OAuth suppliers to ship get entry to tokens, by the use of browser redirect.
After making a DNS access on his personal web site that mimicked localhost – http://localhost[.]intothesymmetry[.]com – Sanso discovered he may just ship a request to PayPal the use of that URL because the redirect_uri. It in the end overrode the validation stipulated via PayPal and returned a PayPal OAuth shopper token.
Sanso stressed out to Threatpost that because it was once common, the trick can have labored for any PayPal OAuth shopper. Prior to the problem was once fastened, he claims, he may just’ve made an OAuth request the use of his redirect_uri and the client_id of any software to get an app’s authorization token despatched to his server.
PayPal started using stricter redirect exams across the verification of the redirect_uri parameter in 2017 and makes use of precise matching to validate requests; however Sanso was once nonetheless in a position to trick it together with his personal localhost subdomain. On this case ‘localhost’ was once nearly like a “magic phrase,” Sanso stated.
He advised Threatpost that what an attacker would be capable to do with the get entry to tokens would rely in large part at the scope of the get entry to token and the OAuth glide.
Sanso, who lives in Switzerland and co-authored a e book on OAuth 2.0 closing yr, found out the problem again in September however it took some prodding to get the problem resolved. Following a from side to side with the corporate – and radio silence for the month of October – PayPal knowledgeable Sanso on November 7 that it had fastened the problem.

Your whole Paypal #OAuth tokens belong to me – localhost for the win –
— Antonio Sanso (@asanso) November 28, 2017

The corporate didn’t in an instant go back a request for touch upon Monday, however in keeping with Sanso builders there fastened the problem via making it so the “PayPal Authorization Server now not overrides the right kind validation they’d in position.”
The best way Sanso bypassed PayPal’s redirect_uri validations is very similar to how Egor Homakov, a Russian researcher who went directly to discovered the pen trying out company Sakurity, hacked GitHub in 2017. Via a chain of OAuth insects, Homakov discovered he may just bypass validations in GitHub with a trail traversal assault. Homakov discovered that each and every time he asked an authorization token, the supplier spoke back with a legitimate access_token. Every other trojan horse he discovered may just permit an attacker to hijack authorization code used for the redirect_uri. GitHub’s trojan horse bounty program was once in its infancy on the time, however it fastened the ones insects and awarded Homakov with $4,000 for uncovering the vulnerabilities.
Fb has patched problems that hinged on how the web site used OAuth over time as smartly. In 2017 it fastened a topic that Sanso additionally found out that allowed for bypass and stemmed from the wrong validation of redirect_uri no longer validating appropriately.
Fb patched a identical trojan horse in 2017, dug up via Nir Goldshlager that trusted tricking sufferers into following a hyperlink. Goldshlager changed the URL string Fb used for OAuth to get customers to navigate to his personal web site and cause an get entry to token he saved there.
Researchers with the College of Hong Kong highlighted an uncongenial flaw in OAuth 2.0 previous this month at Black Hat Europe. A trio of lecturers stated on the convention that deficient OAuth implementations which permit for Fb and Google unmarried sign-on capability can result in account hijacking in one billion cellular apps.