DEF CON 29 - Jenko Hwong - New Phishing Attacks Exploiting OAuth Authentication Flows - LIVE

OAuth 2.0 device authorization gives users on limited-input devices like TVs an easier way to authenticate against and authorize a cloud website/app by entering a code on a computer/phone. This authentication and authorization flow leads to new phishing attacks that: - do not need server infrastructure--the login page is served by the authorization provider using their domain and cert - do not require a client application--application identities can be reused/spoofed - do not require user consent of application permissions Since the phish attacks hijack oauth session tokens, MFA will be ineffective as the attacker does not need to reauthenticate. The ability to defend against these attacks is hindered by limited info and functionality to detect, mitigate, and prevent session token compromise. I'll demonstrate these new phishing attacks, access to sensitive user data, and lateral movement. Defensive measures against these phishing attacks will be discussed, specifically the challenges in detection, mitigation, and prevention, and the overall lack of support for managing temporary credentials. Open-source tools have been developed and will be used to demonstrate how users can: - self-phish their organizations using these techniques - audit security settings that help prevent/mitigate the attacks