This Simple Hack Can Hijack More Than 1 Billion Android App Accounts
A group of researchers from Hong Kong has discovered a method to attack numerous mobile app accounts effortlessly. They have said that these applications have been downloaded more than 1 billion times.
Ronghai Yang, Wing Cheong Lau, and Tianyu Liu from the Chinese University of Hong Kong have looked at 600 most popular US and Chinese Android applications. Out of that, 182 applications, i.e., 41 percent of the total, supported single sign-on.
The researchers were able to spot issues pertaining to OAuth 2.0. For those who don’t know, it’s a standard that lets the users verify their logins on third-party apps using the Google or Facebook accounts.
Usually, when a user logs into any service using OAuth, the apps performs a complete check with the ID provider, like Google, Facebook etc. If the details match, OAuth gets an access token from the ID provider. This lets the app/service to allow the user to login using their Facebook or Google credentials.
However, the researchers found that in a multitude of Android apps, the devs didn’t properly check the validity of the information sent by the ID provider. The mistakes included the failure to verify the signature attached to the authentication information retrieved from Google and Facebook, according to Forbes. Often, the app server would only check for the user ID retrieved from the ID provider.
Wing Cheong Lau, one of the researchers, said that even though the mistake is pretty basic, the impact could be severe. The OAuth protocol is quite complicated,” he told Forbes. “A lot of third party developers are ma and pa shops, they don’t have the capability. Most of the time they’re using Google and Facebook recommendations, but if they don’t do it correctly, their apps will be wide open.”