Redirect Roulette: How Poor OAuth Redirect Handling Gave Me Account Takeover

The way that OAuth works can leave it open to attack, even when the implementation is carried out correctly.
The fundamental issue is that users are sometimes asked to input their email address and password to the genuine application, and attackers can manipulate this to obtain access.
The attacker need only manipulate the redirect URL so that it points to their own resource, which is designed to look like it is part of the correct service.
In this instance, the attacker was able to take over the user’s mailbox, as they were able to intercept the code that the genuine service was using.
There are steps that can be taken to mitigate this risk, such as the use of universal logins or federated identities, but these require significant investment and are often not practical.
Additionally, developers should be maintaining a high level of alertness, taking care to validate all data that is coming from untrusted sources and prioritizing the secure handling of redirect links.
Educating users about the dangers of following unknown links could also contribute to lowering the success rate of such attacks.

Fast Feed