PayPal proffers patch for OAuth app hack hole

Paypal has patched a phishing vulnerability that could allow attackers to steal any OAuth token for its payment apps and gain access to accounts.

Adobe software engineer and OAuth wonk Antonio Sanso discovered the token request flaw after messing with redirect URLs.

He found PayPal’s authorisation server setup to handle OAuth token requests via the developer Dashboard could be manipulated to accept localhost as a redirect_uri where tokens should be shipped.

Sanso showcased the redirect_uri flaw by altering requests made by the Paypal OAuth demonstration app, which set the actual registered redirect_uri to https://demo.paypal.com/loginsuccessful&.

https://www.paypal.com/signin/authorize?client_id=AdcKahCXxhLAuoIeOotpvizsVOX5k2A0VZGHxZnQHoo1Ap9ChOV0XqPdZXQt&response_type=code&scope=openid%20profile%20email%20address%20phone%20https://uri.paypal.com/services/paypalattributes%20https://uri.paypal.com/services/paypalattributes/business%20https://uri.paypal.com/services/expresscheckout&redirect_uri=https://demo.paypal.com/loginsuccessful&nonce=&newUI=Y

He then inked a DNS entry for http://localhost.intothesymmetry.com to capture requests

https://www.paypal.com/signin/authorize?client_id=AdcKahCXxhLAuoIeOotpvizsVOX5k2A0VZGHxZnQHoo1Ap9ChOV0XqPdZXQt&response_type=code&scope=openid%20profile%20email%20address%20phone%20https://uri.paypal.com/services/paypalattributes%20https://uri.paypal.com/services/paypalattributes/business%20https://uri.paypal.com/services/expresscheckout&redirect_uri=http://localhost.intothesymmetry.com/&nonce=&newUI=Y

“So it really looks like that even if Paypal did actually perform exact matching validation, localhost was a magic word and it override the validation completely,” Sanso says.

PayPal squashed the bug earlier this month after initially deciding it was not a vulnerability in September.

Sanso reported similar redirect_uri bugs to Facebook in 2014 to steal OAuth access tokens.

He says developers using OAuth must register full exact redirect_uri addresses with no second stage redirects to protect their apps. ®

Sponsored:
The state of mobile security maturity

Source: The Register – Security @ November 29, 2016 at 10:36PM

0
Share