As if you needed another reason not to ever use SSO to your Google account for anything (mbin.grits.dev)
from mozz@mbin.grits.dev to netsec@lemmy.world on 17 Jan 2024 14:26
https://mbin.grits.dev/m/netsec@lemmy.world/t/9776

For some reason this only just now occurred to me: What’s to stop some web site from carefully crafting an imitation of the Google “you need to sign in again” UI, storing your Google password, and storing from the other side the auth cookie from Google, so that it can then poke around through 100% of your Google content including any other site you’ve signed into with the same SSO login?

This is such a fundamental flaw in the whole concept that it’s obviously occurred to people and they’ve had time to come up with something to prevent it, but I can’t see how you could prevent it. Have I missed something? You might have a non-Google URL in the address bar during the faked sign-in, or you could use varying degrees of deception to attempt to make the address bar look legit, but I’d honestly be surprised if more than 20% of people even check the address bar every time they sign in to SSO. I don’t.

So what’s to make this not work?

#netsec

threaded - newest

mspencer712@programming.dev on 17 Jan 2024 15:01 next collapse

My account uses 2FA and my browser remembers my password. If I get a sign in prompt but my browser doesn’t / won’t auto fill my password, I assume it knows something I don’t and I’m immediately suspicious.

Your scenario is absolutely valid and would probably catch a lot of people who don’t think about security.

taladar@sh.itjust.works on 17 Jan 2024 15:04 next collapse

This is why it is a bad idea that the Google (and other major) SSO use a bazillion domains and redirect you around so much. You can’t really rely on the user knowing the URL of the sign-in system that way.

Kyrgizion@lemmy.world on 17 Jan 2024 15:13 next collapse

I only once got a real security notice from Google and this was several years ago, before Covid even. It simply stated that a (correct) login attempt was made, but from an IP address in China, and Google blocked this by default because it was “suspicious”.

I changed all my passwords and have never had a problem since, but I agree with your scenario. There’s ample stories of people even having 2FA set up and still getting locked out from their own accounts, although I suspect the grand majority of these cases are through social engineering rather than actual hacking.

slazer2au@lemmy.world on 17 Jan 2024 15:13 next collapse

That’s not how it works.

When you use SSO to auth the website never sees your account credentials.

The site: Google, here are my SAML codes can you auth this person. Google: cool those SAML codes are correct, hey user what are your Google auth details?
User: here you go Google.
Google: sweet, those are valid. hey site here is a token specifically for you for this user.
Site: welcome user.

At no point does your Google password hit the site and the tokens for other services will not work with a random webapp.

mozz@mbin.grits.dev on 17 Jan 2024 15:17 collapse

That's not how it works if the website serves you the genuine Oauth code.

If the website serves you a malicious imitation of the genuine Oauth code, which is crafted to make that exactly how it works, then that is in fact exactly how it works.

taladar@sh.itjust.works on 17 Jan 2024 15:31 collapse

Your best defence against this is to use a password manager since that will not just hand your Google credentials to the fake site.

RedditWanderer@lemmy.world on 17 Jan 2024 19:33 next collapse

Companies will include an image of your choosing when you enter your credentials to know it’s really the host, and that can’t be faked really. Obviously people don’t notice and a fake website is often enough, but there is a mechanism.

mozz@mbin.grits.dev on 17 Jan 2024 19:40 collapse

  1. Google Oauth currently doesn't do that
  2. We're doing man-in-the-middle under my proposed scenario anyway (we have to, to defeat 2FA and get a real Oauth token.) It's trivial to show the user the Google-provided image of the user's choosing.
BradleyUffner@lemmy.world on 18 Jan 2024 02:33 collapse

If this were an actual flaw, it would completely break all of OAuth everywhere. How likely do you think it is that the entire security industry, and all hackers everywhere, would have overlooked something like this?

mozz@mbin.grits.dev on 18 Jan 2024 02:36 collapse

Can I set up a web site and ask you to go do your Google SSO on it? I promise it's legit

BradleyUffner@lemmy.world on 18 Jan 2024 02:54 collapse

I’ll take a look at your site, I’m curious to see what it looks like, but I’m not entering any real credentials.

mozz@mbin.grits.dev on 18 Jan 2024 02:58 collapse

I thought you were extremely confident that what I was describing wouldn't work though 🙂

BradleyUffner@lemmy.world on 18 Jan 2024 03:10 collapse

I’m confident there will be some sign that it’s a forged OAuth prompt rather than Google’s prompt, and I’m not entering credentials into an obviously fake prompt.

mozz@mbin.grits.dev on 18 Jan 2024 03:29 collapse

Well, that's lucky, because I don't want to sign up for OAuth tokens with Google and then immediately start doing something nefarious with them just to prove a point. 🙂

I looked around a little though, and I was able to find an example of this technique being used for real maliciously "in the wild." My envisioning of it was somewhat different (overriding or obfuscating the URL bar in a real window showing malicious HTML, as opposed to constructing an entire fake window), but the principle's pretty much exactly the same.

I also learned that Google's response, after some not-real-similar attacks which also exploited doing nasty things with real OAuth vendor credentials, was to tighten up a lot on their security on who can have OAuth vendor credentials (which sounds like a pretty sensible approach to me.)