Discover how an increasingly popular authentication process, OAuth, can be exploited by hackers and wreak havoc on applications and access sensitive data.
What Is OAuth?
OAuth is a widely used framework that allows applications to share access to assets. It lets unrelated services and servers to allow authentication without sharing the initial single login credential. It’s often referred to as secure third-party user agent delegated authentication.
OAuth lets you access a resource — secure password-protected sections of a website, for example. Once the access is granted it remains in place until revoked, even if passwords or reset or 2-factor authentication changes.
It’s the technology that allows you to log in to a website or an app using Facebook or Google credentials. Instead of creating and using a password for, say, ESPN.com, you can log in using your Facebook account. Facebook, Google, Microsoft and Amazon are among those that use OAuth to allow access to other platforms as well as their own.
OAuth does not share password data across sites, but it does share the authorization tokens to confirm your identity.
What Is the Oauth Phishing Attack?
The OAuth tactic is unlike those used in traditional phishing attacks. By targeting the authorization tokens, hackers can essentially act as a compromised account holder throughout any platform on which the hacked person uses OAuth.
A hacker can create a simple app that is loaded into an email message. When users click on the phishing email, they can inadvertently allow access via the OAuth protocol.
“These techniques have been observed in sophisticated attacks in the past1 but are becoming easier to execute and are gaining in popularity,” notes a recent article.
What Can Attackers Do if a Phishing Attack Is Successful?
A successful phish attack lets a hacker do any number of things, depending on the resource to which access was granted. For example, if access is granted to your Microsoft Office or Office 365 account, a hacker could:
Data accessed, reviewed and stolen can have severe consequences, as could macros and rules that make it difficult or impossible to use these common office productivity apps.
What Can Be Done to Defend Against a Phishing Attack?
More platforms are using OAuth to make it easier for customers or users to access information. That proliferation of uses means more opportunities for hackers. It’s likely that the number of OAuth phishing attacks is likely to grow.
The best defense against OAuth and other phishing attacks is awareness. Employees and other users need to be aware of the risks and potential outcomes of a phishing attack.
That means training and simulations that help users look for telltale signs of a phishing attack, such as poor grammar and spelling and the use of an unusual email address. Explaining how OAuth phishing attacks work also helps to raise awareness and let users take a skeptical approach to providing those credentials if something doesn’t feel right.
Your organization should also make it easier for employees to submit any suspect email messages that they believe are a phishing attempt.
Some other recommendations are:
To reduce the likelihood and impact of an OAuth phishing attack, be sure to work with your managed IT services provider to ensure that training, anti-phishing solutions and monitoring are in place for your entire network.
Thanks for helping us upgrade our Macs and get them working exactly as our business needs! Fast, convenient and very knowledgeable! You’re the best!
Alary Technologies has been our IT support team for the past year at the START Clinic for Mood and Anxiety Disorders. They have done a excellent job in upgrading our system, organization, and supporting us in technical computer matters. Compared to other IT companies we have worked with, Alary Technologies comes on top. Ahmed Kufaishi the Managing Director at Alary Technologies is solution focused, knowledgeable and makes an effort to really understand his clients’ needs. It has been a pleasure to work with Ahmed and Alary Technologies. I would recommend their services to other companies and clinics.
“We continue to work with Alary Technologies due to the fact that they are quite educated and knowledge based with current upgrades, and their commitment to their customers.”
Ahmed has been providing our company with expert IT services for close to 3 years. He has guided us through hardware upgrades, server back up procedures and was instrumental in brokering a custom software program that fully automated some key functions in our business. Ahmed has always been thoroughly professional in all his dealings with us and has provided consistent and sound advise for all of our IT requirements. We consider Ahmed and Alary Technologies to be an important partner for our business.
It is refreshing to work with someone who can organize things and describe in plain language. I have a large and growing knowledge base for my work as an architect. I have realized that I can’t do everything, that I do need a team member who can look after this one relatively small by crucial part of my practice.