How to Hack OAuth • Aaron Parecki • GOTO 2020

This presentation was recorded at GOTO Chicago 2020. #GOTOcon #GOTOchgo http://gotochgo.com Aaron Parecki - Senior Security Architect at Okta @aaronpk ABSTRACT OAuth is the foundation of most of modern online security, used everywhere from signing in to mobile apps, to protecting your bank accounts. Despite its ubiquity, it is still often difficult to implement safely and securely, especially in today's landscape, which is dramatically different from the world of online security as it existed when OAuth was initially created. This talk will explore several real-world OAuth hacks that affected major providers like Twitter, Facebook and Google. I'll share the details of how each specific attack happened, as well as [...] TIMECODES 00:00 Intro 00:40 What is OAuth? 03:06 How does OAuth work? 05:52 The hacks 07:48 PKCE - Proof-Key for Code Exchange 09:18 JWT - JSON Web Token 11:34 Attack on Google OAuth 14:56 Attack on Facebook's access tokens 18:01 Outro Download slides and read the full abstract here: https://gotochgo.com/2020/sessions/1441/how-to-hack-oauth RECOMMENDED BOOKS Aaron Parecki • OAuth 2.0 Simplified • https://amzn.to/2A3IMOf Aaron Parecki • OAuth 2.0 Servers • https://amzn.to/3ecHEsz Aaron Parecki • The Little Book of OAuth 2.0 RFCs • https://amzn.to/3i7qnlC Erdal Ozkaya • Cybersecurity: The Beginner's Guide • https://amzn.to/2T6OIj3 Richer & Sanso • OAuth 2 in Action • https://amzn.to/3hXiAH6 Wilson & Hingnikar • Demystifying OAuth 2.0, OpenID Connect, and SAML 2.0 • https://amzn.to/2U8iLY2 https://twitter.com/GOTOcon https://www.linkedin.com/company/goto- https://www.facebook.com/GOTOConferences #OAuth #Security #Privacy #Programming #OAuthHacks #PKCE #JWT Looking for a unique learning experience? Attend the next GOTO conference near you! Get your ticket at http://gotocon.com SUBSCRIBE TO OUR CHANNEL - new videos posted almost daily. https://www.youtube.com/user/GotoConferences/?sub_confirmation=1