OAuth Hijacking leads to account takeover

بسم الله الرحمن الرحيم

Hello everyone,

Hope you’re all doing well, today we’re going to talk about OAuth Hijacking in Google One Tap Sign-In feature and how to find it. To start, let’s understand OAuth and GOOGLE One Tap Sign-In.

“You can ignore the grammar mistakes”

OAuth is an open-standard authorization protocol or framework that provides applications the ability for “secure designated access.” For example, you can tell Facebook that it’s OK for benzac.com to access your profile or post updates to your timeline without having to give Benzac your Facebook password. OAuth can also be used for authentication; for example, to log into your application using social sign-in feature [ Google, Facebook, Microsoft ].

Google One Tap is a new feature that allows users to create an account or log in to the website with a single click. It is also known as YOLO (You Only Login Once).

The login widget appears as a popup, and it will prompt the users to sign in or sign up with the existing Google account.

أيوا هى دى البتاعه اللى بتخاف تضغط عليها

A JavaScript library is included on your website. HTML or JavaScript is used to customize the look and feel of the personalized button and, on one tap, control the automatic sign-in and sign-out behaviors.

The Users who are signing in for the first time are prompted for consent to share their Google Account profile information. After providing the consent, a JSON Web Token (JWT) credential containing the user’s name, email, and profile picture is shared using a callback handler.

Now you can use the ID token to create a new account on your platform or allow the verified user to continue using your site.

Source: https://www.loginradius.com/blog/identity/google-one-tap-login/

In the server-side, how does the developer deal with the ID token in order to verify if this token is for a person who is already registered in the application or not?

At first, what’s inside in the ID token Payload?

{
"iss": "https://accounts.google.com",
"azp": "1234987819200.apps.googleusercontent.com",
"aud": "1234987819200.apps.googleusercontent.com",
"sub": "10769150350006150715113082367",
"at_hash": "HK6E_P6Dh8Y93mRNtsDB1Q",
"hd": "example.com",
"email": "abushadad@example.com",
"email_verified": "true",
"iat": 1353601026,
"exp": 1353604926,
"nonce": "0394852-3190485-2490358"
}iss (issuer): Issuer of the JWT (Google)
sub (subject): Subject of the JWT (the user)
aud (audience): Recipient for which the JWT is intended (The Client)
exp (expiration time): Time after which the JWT expires
iat (issued at time): Time at which the JWT was issued; can be used to determine age of the JWT
jti (JWT ID): Unique identifier; can be used to prevent the JWT from being replayed (allows a token to be used only once)

Now, Validation of an ID token in the back-end requires several steps:

Verify that the ID token is properly signed by the issuer.Verify that the value of the iss claim in the ID token is equal to https://accounts.google.com or accounts.google.comVerify that the value of the aud claim in the ID token is equal to your app's client ID.Verify that the expiry time (exp claim) of the ID token has not passed.The last step is to check whether this user has an account in the application or not, this is done through one of the following values:
sub claim or email claimIf the “email” value or the “sub” value is linked to an account in the application, the session or JWT is returned in the response according to the nature of the authentication mechanism in the application. If not, he call the registration feature to create an account based on “email” claim.from google.oauth2 import id_token
from google.auth.transport import requests

try:
# Specify the CLIENT_ID of the app that accesses the backend:
idinfo = id_token.verify_oauth2_token(token, requests.Request(), CLIENT_ID)

# ID token is valid. Get the user's Google Account email from the decoded token.
userid = idinfo['email']
except ValueError:
# Invalid token
pass

But, what if the developer doesn’t check the value of the audience for any reason?

In this case, the ID token of another client can be used to login or to create a new account in the target application, and it does not have to be specific to the client that refers to the application we are using. But the ID token must have been signed by Google and still has not exceeded the expiration date!