SlideShare a Scribd company logo

Security exploits of Google application specific passwords & Chrome’s OAuth2 tokens

Duo Security
Duo Security

Duo Security's investigation into the security vulnerabilities of Google Application-Specific Passwords.Plus a follow-up investigation on a few loose-ends from our previous work, which uncovered a new method of exploiting Google Chrome's OAuth2 tokens.

TechnologyNews & Politics
1 of 56
Download to read offline
Bypassing Strong Authentication... With Passwords?! Adam Goodman akgood@duosecurity.com Passwords13 - 2013-07-31 duosecurity.com 1
0. Kill The Password? duosecurity.com 2
duosecurity.com 3
duosecurity.com 4
duosecurity.com 5
1. Bypassing Google’s 2-Factor Authentication duosecurity.com 6
duosecurity.com 7
duosecurity.com 8
Google’s 2-Step Verification duosecurity.com 9
Google’s 2-Step Verification duosecurity.com 10
What About Non-Web-Based Logins? Thick-Client Protocols ‣ IMAP ‣ CalDAV ‣ XMPP ‣ ... Google Software (Interim Solution) ‣ Android ‣ Chrome duosecurity.com 11
Application-Specific Passwords duosecurity.com 12
Application-Specific Passwords ‣ 16 lowercase letters ‣ Randomly-Generated by Google ‣ Individually Revokable ‣ Not intended to be memorized sounds a bit like... duosecurity.com 13
ASPs vs. OAuth Tokens ‣ ASPs have to be generated manually ‣ ASPs aren’t actually Application-Specific! duosecurity.com 14
Not-So-Application-Specific “Another weakness of ASP is the misimpression that is provides application-limited rather than full-scope account access.” - Authentication at Scale, appearing in IEEE S&P Magazine vol. 11, no. 1 duosecurity.com 15
Detour: Android Auto-Login Also: ‣ Chromebooks ‣ Desktop versions of Chrome (if enabled in chrome://flags) ‣ ...? duosecurity.com 16
Detour: Android Auto-Login Worked even for the most sensitive parts of https://accounts.google.com: ‣ 2FA settings: https://accounts.google.com/b/0/SmsAuthConfig?hl=en ‣ Account-Recovery Settings: https://accounts.google.com/b/0/ UpdateAccountRecoveryOptions?hl=en&service=oz duosecurity.com 17
So... ‣ ASPs can link an Android device, and ‣ With auto-login, Android devices could - with no additional authentication - take over your account completely! duosecurity.com 18
Let’s Figure Out How This Works... Android HTTPS Interception, v1 ‣ Real Device (Google Nexus S) with a custom default gateway ‣ Linux Desktop, running sslsniff ‣ http://www.thoughtcrime.org/software/sslsniff/ ‣ Custom CA certificate duosecurity.com 19
Let’s Figure Out How This Works... Android HTTPS Interception, v2 ‣ Android Emulator ‣ $ emulator -http-proxy localhost:8080 @avd_name ‣ Burp Suite Proxy ‣ http://portswigger.net/burp/ ‣ Custom CA certificate duosecurity.com 20
duosecurity.com 21
Basic Workflow ‣ POST to https://android.clients.google.com/auth ‣ Send Email, EncryptedPasswd, service=ac2dm ‣ Receive “Token” ‣ POST to https://android.clients.google.com/auth ‣ Send Email, Token, service=urlquote(“weblogin:continue=https://accounts.google.com/ ManageAccount”) ‣ Receive “MergeSession” URL ‣ Open the MergeSession URL; get instantly logged into your account! duosecurity.com 22
Step 1 POST /auth HTTP/1.1 Host: android.clients.google.com ... accountType=HOSTED_OR_GOOGLE&Email=akgood %40arbsec.org&has_permission=1&add_account=1&EncryptedPa sswd=AFcb4...&service=ac2dm&source=android&androidId=328 1f33679ccc6c6&device_country=us&operatorCountry=us&lang=e n&sdk_version=17 duosecurity.com 23
Step 1 HTTP/1.1 200 OK ... SID=DQAAANwAAAVMG4uYt2HaF... Auth=DQAAAOAAAACRbLC5-dgM... services=goanna_mobile,apps,... Email=akgood@arbsec.org Token=1/fXrv8D3fLP1mOBj3o1... GooglePlusUpgrade=1 firstName=Adam lastName=Goodman duosecurity.com 24
Step 1: EncryptedPasswd? POST /auth HTTP/1.1 Host: android.clients.google.com ... accountType=HOSTED_OR_GOOGLE&Email=akgood %40arbsec.org&has_permission=1&add_account=1&Passwd=xxx xxxxxxxxxxxxx&service=ac2dm&source=android&androidId=328 1f33679ccc6c6&device_country=us&operatorCountry=us&lang=e n&sdk_version=17 duosecurity.com 25
Step 2 POST /auth HTTP/1.1 Host: android.clients.google.com ... accountType=HOSTED_OR_GOOGLE&Email=akgood %arbsec.org&has_permission=1&Token=1%2FfXrv8D3fLP1mOBj3o1... ...&service=weblogin%3Acontinue%3Dhttps%253A%252F %252Faccounts.google.com %252FManageAccount&source=android&androidId=3281f33679ccc6c 6&app=com.android.browser&client_sig=61ed377e85d386a8dfee6b86 4bd85b0bfaa5af81&device_country=us&operatorCountry=us&lang=en& sdk_version=17 duosecurity.com 26
Step 2 HTTP/1.1 200 OK ... Auth=https://accounts.google.com/MergeSession?args=continue %3Dhttps%253A%252F%252Faccounts.google.com %252FManageAccount&uberauth=AP...&source=AndroidWebLogin Expiry=0 duosecurity.com 27
Simplified Workflow ‣ POST to https://android.clients.google.com/auth ‣ Send Email, Passwd, service=urlquote(“weblogin:continue=https://accounts.google.com/ ManageAccount”) ‣ Receive “MergeSession” URL Go from Application-Specific Password to full account takeover with one API call! duosecurity.com 28
Timeline ‣ 2012/07/16: Duo researchers confirm presence of ASP weakness. ‣ 2012/07/18: Issue reported to security@google.com. ‣ 2012/07/20: Communication with Google Security Team clarifying the issue. ‣ 2012/07/24: Issue is confirmed and deemed “expected behavior” by Google Security Team. ‣ 2013/02/21: Fix is pushed by Google to prevent ASP-initiated sessions from accessing sensitive account interfaces. ‣ 2013/02/25: Public disclosure by Duo. duosecurity.com 29
Google’s Fix ‣ Sensitive account-settings pages are no longer accessible via auto-login (you must enter username/password/OTP) ‣ ~Nothing else has changed duosecurity.com 30
Multiple Discovery ‣ http://grkvlt.blogspot.co.uk/2012/08/google-tfa-security- issue.html ‣ http://connect.ncircle.com/ncircle/attachments/ncircle/ VERTBlog/173/1/CraigYoung_BSidesSlides-2SV.pdf duosecurity.com 31
Evaluation duosecurity.com 32
2-step Verification Still Helps... ‣ Phishing ‣ Password-sharing between services (with insecure password databases) duosecurity.com 33
... But ASPs Can Be Stolen HTTPS Man-In-The-Middle ‣ Thick-client applications are notoriously bad at checking SSL certificates: https://crypto.stanford.edu/ ~dabo/pubs/abstracts/ssl- client-bugs.html Malware can grab stored passwords... ‣ Windows: Data Protection API ‣ Encrypts data using a key derived from the user’s logon credential ‣ Any process running under the same user account can decrypt any DPAPI-protected data ‣ OS X: Keychain ‣ Stronger: per-application permissions Plaintext... duosecurity.com 34
Case Study: Pidgin ‣ Plain-Text Passwords! ‣ https://developer.pidgin.im/wiki/PlainTextPasswords ‣ GTalk / “Hangouts” - (probably) low impact if compromised ‣ If we were storing a credential that only had access to your GTalk account, then storing it in plaintext might be ~OK ‣ GMail - (probably) high impact if compromised ‣ ... all of your other accounts on the internet?! duosecurity.com 35
Not Just Application-Specific Passwords ‣ Chrome on Windows / Mac / Linux has the same “auto- login” functionality ‣ ... but it’s using OAuth2 now! duosecurity.com 36
Workflow ‣ POST to https://accounts.google.com/o/oauth2/token ‣ send refresh_token, client_id, client_secret (the latter two are hardcoded into Chrome) ‣ receive access_token ‣ GET to https://accounts.google.com/OAuthLogin? source=ChromiumBrowser&issueuberauth=1 ‣ send access_token in Authorization header ‣ get “uberauth” token back ‣ Use “uberauth” token to construct a MergeSession URL duosecurity.com 37
How Is The Refresh Token Stored? from (e.g.) ~/Library/Application Support/Google/Chrome/ Default/Preferences: ... "oauth2LoginRefreshToken": { "status": "Successful", "value": "1/0209_TGZzDyfxwozFV..." } ... duosecurity.com 38
OAuth2 Won’t (automagically) Save You Unexpected threat models: ‣ Access to your tabs/bookmarks/history/etc. vs access to your entire Google account! duosecurity.com 39
2. Passing The Hash In Windows Networks... Even When Passwords Are “Disabled” (borrowing in part from http://www.foofus.net/~hinge/presos/insidious-implicit-windows-trust-relationships.pdf) duosecurity.com 40
Local vs Domain Logins ‣ Local ‣ Password hashes are stored on your workstation ‣ Domain ‣ Password hashes stored on the Domain Controller ‣ Your workstation will cache them, sometimes ‣ Both Local and Domain accounts can be administrators on your workstation Workstation Workstation Workstation Other ServerDomain Controller duosecurity.com 41
Authentication In Windows Networks ‣ NTLM Authentication ‣ Kerberos ‣ ... duosecurity.com 42
NTLM Authentication ‣ Challenge-Handshake Protocol ‣ Uses NTLM Hash of user’s password, not the password itself! ‣ One-way hash function ‣ No salting, no PBKDF2 ... ‣ Extremely pervasive in Windows ecosystems ‣ RPCs ‣ SMB mounts ‣ ... duosecurity.com 43
Pass-The-Hash NTLM Authentication only requires the NTLM Hash! ‣ Gain local admin rights on a single workstation (somehow...) ‣ Extract NTLM Hashes ‣ Use them to compromise other machines in the network! Workstation Workstation Domain Controller Workstation Other Server duosecurity.com 44
What About Smart-Cards? Public/Private Key-pair and Certificate stored on cryptographic hardware ‣ Private Key can “never” be extracted ‣ Authenticate by asking the smartcard to digitally-sign a value (basically, Challenge-Handshake) ‣ Windows can do Certificate-based user authentication Sounds much better, right? duosecurity.com 45
What About Smart-Cards? “In order to support NTLM authentication [MS-NLMP] for applications connecting to network services that do not support Kerberos authentication, when PKCA is used, the KDC returns the user's NTLM one-way function (OWF) in the privilege attribute certificate (PAC) PAC_CREDENTIAL_INFO buffer ([MS-PAC] section 2.6.1).” - [MS-PKCA]: Public Key Cryptography for Initial Authentication (PKINIT) in Kerberos Protocol http://msdn.microsoft.com/en-us/library/cc238455.aspx duosecurity.com 46
Evaluation Smart-cards still can help... ‣ Weak Passwords ‣ Shared Passwords between accounts / systems But Pass-The-Hash attacks can still be a threat! duosecurity.com 47
3. Some Conclusions duosecurity.com 48
Real-world ecosystems tend to have multiple, distinct authentication scenarios... ... passwords (or similar stored-secret authentication methods) are likely to continue to exist in some scenarios ... ...in each scenario, we must carefully balance privileges with trust duosecurity.com 49
Authentication Scenarios and Trust Rights ‣ What is the maximum set of permissions that should be granted to a user? Integrity Level ‣ How strongly has a user / client authenticated? duosecurity.com 50
4. Amazon Web Services: Identity and Access Management (IAM) duosecurity.com 51
Identity And Access Management (IAM) ‣ A single AWS account can have multiple users ‣ Flexible Rights-Expression Language, based on: ‣ Resources (e.g. EC2 Instances, DNS zones, ...) ‣ Actions (e.g. start instance, stop instance, ...) ‣ Other session context (e.g. client IP address, SSL usage, whether 2FA was used, ...) duosecurity.com 52
IAM Policy Example { "Version":"2012-10-17", Statement: [{ "Action":["ec2:StopInstances","ec2:TerminateInstances"], "Effect":"Deny", "Resource":["*"], "Condition":{ "Null":{"aws:MultiFactorAuthAge":"true"} } }] } Deny specific actions if a user didn’t use 2-factor authentication duosecurity.com 53
2-Factor Authentication for API Clients Amazon Secure Token Service ‣ Provide API credentials and a one-time-passcode to a specific endpoint ‣ Get a new set of temporary credentials back duosecurity.com 54
Evaluation AWS gives you all the tools to build strong, flexible authorization policies... ... but you have to actually build them! AWS is intended for developers (and other savvy types) duosecurity.com 55
Questions? duosecurity.com 56

Recommended

Abusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itAbusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itBenjamin Delpy
 
Security Fact & Fiction: Three Lessons from the Headlines
Security Fact & Fiction: Three Lessons from the HeadlinesSecurity Fact & Fiction: Three Lessons from the Headlines
Security Fact & Fiction: Three Lessons from the HeadlinesDuo Security
 
Securing Access to PeopleSoft ERP with Duo Security and GreyHeller
Securing Access to PeopleSoft ERP with Duo Security and GreyHellerSecuring Access to PeopleSoft ERP with Duo Security and GreyHeller
Securing Access to PeopleSoft ERP with Duo Security and GreyHellerDuo Security
 
How To Stop Targeted Attacks And Avoid “Expense In Depth” With Strong Authent...
How To Stop Targeted Attacks And Avoid “Expense In Depth” With Strong Authent...How To Stop Targeted Attacks And Avoid “Expense In Depth” With Strong Authent...
How To Stop Targeted Attacks And Avoid “Expense In Depth” With Strong Authent...Duo Security
 
Forrester and Duo Security Webinar - 5 Signs You're Doing Authentication Wrong
Forrester and Duo Security Webinar - 5 Signs You're Doing Authentication WrongForrester and Duo Security Webinar - 5 Signs You're Doing Authentication Wrong
Forrester and Duo Security Webinar - 5 Signs You're Doing Authentication WrongDuo Security
 
A Place to Hang Our Hats: Security Community and Culture by Domenic Rizzolo
A Place to Hang Our Hats: Security Community and Culture by Domenic RizzoloA Place to Hang Our Hats: Security Community and Culture by Domenic Rizzolo
A Place to Hang Our Hats: Security Community and Culture by Domenic RizzoloDuo Security
 
Internet of Fails: Where IoT Has Gone Wrong and How We're Making it Right by ...
Internet of Fails: Where IoT Has Gone Wrong and How We're Making it Right by ...Internet of Fails: Where IoT Has Gone Wrong and How We're Making it Right by ...
Internet of Fails: Where IoT Has Gone Wrong and How We're Making it Right by ...Duo Security
 
Security For The People: End-User Authentication Security on the Internet by ...
Security For The People: End-User Authentication Security on the Internet by ...Security For The People: End-User Authentication Security on the Internet by ...
Security For The People: End-User Authentication Security on the Internet by ...Duo Security
 

Recommended

Abusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itAbusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itBenjamin Delpy
 
Security Fact & Fiction: Three Lessons from the Headlines
Security Fact & Fiction: Three Lessons from the HeadlinesSecurity Fact & Fiction: Three Lessons from the Headlines
Security Fact & Fiction: Three Lessons from the HeadlinesDuo Security
 
Securing Access to PeopleSoft ERP with Duo Security and GreyHeller
Securing Access to PeopleSoft ERP with Duo Security and GreyHellerSecuring Access to PeopleSoft ERP with Duo Security and GreyHeller
Securing Access to PeopleSoft ERP with Duo Security and GreyHellerDuo Security
 
How To Stop Targeted Attacks And Avoid “Expense In Depth” With Strong Authent...
How To Stop Targeted Attacks And Avoid “Expense In Depth” With Strong Authent...How To Stop Targeted Attacks And Avoid “Expense In Depth” With Strong Authent...
How To Stop Targeted Attacks And Avoid “Expense In Depth” With Strong Authent...Duo Security
 
Forrester and Duo Security Webinar - 5 Signs You're Doing Authentication Wrong
Forrester and Duo Security Webinar - 5 Signs You're Doing Authentication WrongForrester and Duo Security Webinar - 5 Signs You're Doing Authentication Wrong
Forrester and Duo Security Webinar - 5 Signs You're Doing Authentication WrongDuo Security
 
A Place to Hang Our Hats: Security Community and Culture by Domenic Rizzolo
A Place to Hang Our Hats: Security Community and Culture by Domenic RizzoloA Place to Hang Our Hats: Security Community and Culture by Domenic Rizzolo
A Place to Hang Our Hats: Security Community and Culture by Domenic RizzoloDuo Security
 
Internet of Fails: Where IoT Has Gone Wrong and How We're Making it Right by ...
Internet of Fails: Where IoT Has Gone Wrong and How We're Making it Right by ...Internet of Fails: Where IoT Has Gone Wrong and How We're Making it Right by ...
Internet of Fails: Where IoT Has Gone Wrong and How We're Making it Right by ...Duo Security
 
Security For The People: End-User Authentication Security on the Internet by ...
Security For The People: End-User Authentication Security on the Internet by ...Security For The People: End-User Authentication Security on the Internet by ...
Security For The People: End-User Authentication Security on the Internet by ...Duo Security
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by HubspotMarius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTExpeed Software
 

More Related Content

Recently uploaded

Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 

Recently uploaded (20)

Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 

Featured

2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by HubspotMarius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTExpeed Software
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsPixeldarts
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthThinkNow
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfmarketingartwork
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024Neil Kimberley
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)contently
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024Albert Qian
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsKurio // The Social Media Age(ncy)
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Search Engine Journal
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summarySpeakerHub
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next Tessa Mero
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentLily Ray
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesVit Horky
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project managementMindGenius
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...RachelPearson36
 

Featured (20)

2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPT
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage Engineerings
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental Health
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
 
Skeleton Culture Code
Skeleton Culture CodeSkeleton Culture Code
Skeleton Culture Code
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search Intent
 
How to have difficult conversations
How to have difficult conversations How to have difficult conversations
How to have difficult conversations
 
Introduction to Data Science
Introduction to Data ScienceIntroduction to Data Science
Introduction to Data Science
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best Practices
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project management
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
 

Security exploits of Google application specific passwords & Chrome’s OAuth2 tokens

  • 1. Bypassing Strong Authentication... With Passwords?! Adam Goodman akgood@duosecurity.com Passwords13 - 2013-07-31 duosecurity.com 1
  • 2. 0. Kill The Password? duosecurity.com 2
  • 6. 1. Bypassing Google’s 2-Factor Authentication duosecurity.com 6
  • 11. What About Non-Web-Based Logins? Thick-Client Protocols ‣ IMAP ‣ CalDAV ‣ XMPP ‣ ... Google Software (Interim Solution) ‣ Android ‣ Chrome duosecurity.com 11
  • 13. Application-Specific Passwords ‣ 16 lowercase letters ‣ Randomly-Generated by Google ‣ Individually Revokable ‣ Not intended to be memorized sounds a bit like... duosecurity.com 13
  • 14. ASPs vs. OAuth Tokens ‣ ASPs have to be generated manually ‣ ASPs aren’t actually Application-Specific! duosecurity.com 14
  • 15. Not-So-Application-Specific “Another weakness of ASP is the misimpression that is provides application-limited rather than full-scope account access.” - Authentication at Scale, appearing in IEEE S&P Magazine vol. 11, no. 1 duosecurity.com 15
  • 16. Detour: Android Auto-Login Also: ‣ Chromebooks ‣ Desktop versions of Chrome (if enabled in chrome://flags) ‣ ...? duosecurity.com 16
  • 17. Detour: Android Auto-Login Worked even for the most sensitive parts of https://accounts.google.com: ‣ 2FA settings: https://accounts.google.com/b/0/SmsAuthConfig?hl=en ‣ Account-Recovery Settings: https://accounts.google.com/b/0/ UpdateAccountRecoveryOptions?hl=en&service=oz duosecurity.com 17
  • 18. So... ‣ ASPs can link an Android device, and ‣ With auto-login, Android devices could - with no additional authentication - take over your account completely! duosecurity.com 18
  • 19. Let’s Figure Out How This Works... Android HTTPS Interception, v1 ‣ Real Device (Google Nexus S) with a custom default gateway ‣ Linux Desktop, running sslsniff ‣ http://www.thoughtcrime.org/software/sslsniff/ ‣ Custom CA certificate duosecurity.com 19
  • 20. Let’s Figure Out How This Works... Android HTTPS Interception, v2 ‣ Android Emulator ‣ $ emulator -http-proxy localhost:8080 @avd_name ‣ Burp Suite Proxy ‣ http://portswigger.net/burp/ ‣ Custom CA certificate duosecurity.com 20
  • 22. Basic Workflow ‣ POST to https://android.clients.google.com/auth ‣ Send Email, EncryptedPasswd, service=ac2dm ‣ Receive “Token” ‣ POST to https://android.clients.google.com/auth ‣ Send Email, Token, service=urlquote(“weblogin:continue=https://accounts.google.com/ ManageAccount”) ‣ Receive “MergeSession” URL ‣ Open the MergeSession URL; get instantly logged into your account! duosecurity.com 22
  • 23. Step 1 POST /auth HTTP/1.1 Host: android.clients.google.com ... accountType=HOSTED_OR_GOOGLE&Email=akgood %40arbsec.org&has_permission=1&add_account=1&EncryptedPa sswd=AFcb4...&service=ac2dm&source=android&androidId=328 1f33679ccc6c6&device_country=us&operatorCountry=us&lang=e n&sdk_version=17 duosecurity.com 23
  • 24. Step 1 HTTP/1.1 200 OK ... SID=DQAAANwAAAVMG4uYt2HaF... Auth=DQAAAOAAAACRbLC5-dgM... services=goanna_mobile,apps,... Email=akgood@arbsec.org Token=1/fXrv8D3fLP1mOBj3o1... GooglePlusUpgrade=1 firstName=Adam lastName=Goodman duosecurity.com 24
  • 25. Step 1: EncryptedPasswd? POST /auth HTTP/1.1 Host: android.clients.google.com ... accountType=HOSTED_OR_GOOGLE&Email=akgood %40arbsec.org&has_permission=1&add_account=1&Passwd=xxx xxxxxxxxxxxxx&service=ac2dm&source=android&androidId=328 1f33679ccc6c6&device_country=us&operatorCountry=us&lang=e n&sdk_version=17 duosecurity.com 25
  • 26. Step 2 POST /auth HTTP/1.1 Host: android.clients.google.com ... accountType=HOSTED_OR_GOOGLE&Email=akgood %arbsec.org&has_permission=1&Token=1%2FfXrv8D3fLP1mOBj3o1... ...&service=weblogin%3Acontinue%3Dhttps%253A%252F %252Faccounts.google.com %252FManageAccount&source=android&androidId=3281f33679ccc6c 6&app=com.android.browser&client_sig=61ed377e85d386a8dfee6b86 4bd85b0bfaa5af81&device_country=us&operatorCountry=us&lang=en& sdk_version=17 duosecurity.com 26
  • 27. Step 2 HTTP/1.1 200 OK ... Auth=https://accounts.google.com/MergeSession?args=continue %3Dhttps%253A%252F%252Faccounts.google.com %252FManageAccount&uberauth=AP...&source=AndroidWebLogin Expiry=0 duosecurity.com 27
  • 28. Simplified Workflow ‣ POST to https://android.clients.google.com/auth ‣ Send Email, Passwd, service=urlquote(“weblogin:continue=https://accounts.google.com/ ManageAccount”) ‣ Receive “MergeSession” URL Go from Application-Specific Password to full account takeover with one API call! duosecurity.com 28
  • 29. Timeline ‣ 2012/07/16: Duo researchers confirm presence of ASP weakness. ‣ 2012/07/18: Issue reported to security@google.com. ‣ 2012/07/20: Communication with Google Security Team clarifying the issue. ‣ 2012/07/24: Issue is confirmed and deemed “expected behavior” by Google Security Team. ‣ 2013/02/21: Fix is pushed by Google to prevent ASP-initiated sessions from accessing sensitive account interfaces. ‣ 2013/02/25: Public disclosure by Duo. duosecurity.com 29
  • 30. Google’s Fix ‣ Sensitive account-settings pages are no longer accessible via auto-login (you must enter username/password/OTP) ‣ ~Nothing else has changed duosecurity.com 30
  • 31. Multiple Discovery ‣ http://grkvlt.blogspot.co.uk/2012/08/google-tfa-security- issue.html ‣ http://connect.ncircle.com/ncircle/attachments/ncircle/ VERTBlog/173/1/CraigYoung_BSidesSlides-2SV.pdf duosecurity.com 31
  • 33. 2-step Verification Still Helps... ‣ Phishing ‣ Password-sharing between services (with insecure password databases) duosecurity.com 33
  • 34. ... But ASPs Can Be Stolen HTTPS Man-In-The-Middle ‣ Thick-client applications are notoriously bad at checking SSL certificates: https://crypto.stanford.edu/ ~dabo/pubs/abstracts/ssl- client-bugs.html Malware can grab stored passwords... ‣ Windows: Data Protection API ‣ Encrypts data using a key derived from the user’s logon credential ‣ Any process running under the same user account can decrypt any DPAPI-protected data ‣ OS X: Keychain ‣ Stronger: per-application permissions Plaintext... duosecurity.com 34
  • 35. Case Study: Pidgin ‣ Plain-Text Passwords! ‣ https://developer.pidgin.im/wiki/PlainTextPasswords ‣ GTalk / “Hangouts” - (probably) low impact if compromised ‣ If we were storing a credential that only had access to your GTalk account, then storing it in plaintext might be ~OK ‣ GMail - (probably) high impact if compromised ‣ ... all of your other accounts on the internet?! duosecurity.com 35
  • 36. Not Just Application-Specific Passwords ‣ Chrome on Windows / Mac / Linux has the same “auto- login” functionality ‣ ... but it’s using OAuth2 now! duosecurity.com 36
  • 37. Workflow ‣ POST to https://accounts.google.com/o/oauth2/token ‣ send refresh_token, client_id, client_secret (the latter two are hardcoded into Chrome) ‣ receive access_token ‣ GET to https://accounts.google.com/OAuthLogin? source=ChromiumBrowser&issueuberauth=1 ‣ send access_token in Authorization header ‣ get “uberauth” token back ‣ Use “uberauth” token to construct a MergeSession URL duosecurity.com 37
  • 38. How Is The Refresh Token Stored? from (e.g.) ~/Library/Application Support/Google/Chrome/ Default/Preferences: ... "oauth2LoginRefreshToken": { "status": "Successful", "value": "1/0209_TGZzDyfxwozFV..." } ... duosecurity.com 38
  • 39. OAuth2 Won’t (automagically) Save You Unexpected threat models: ‣ Access to your tabs/bookmarks/history/etc. vs access to your entire Google account! duosecurity.com 39
  • 40. 2. Passing The Hash In Windows Networks... Even When Passwords Are “Disabled” (borrowing in part from http://www.foofus.net/~hinge/presos/insidious-implicit-windows-trust-relationships.pdf) duosecurity.com 40
  • 41. Local vs Domain Logins ‣ Local ‣ Password hashes are stored on your workstation ‣ Domain ‣ Password hashes stored on the Domain Controller ‣ Your workstation will cache them, sometimes ‣ Both Local and Domain accounts can be administrators on your workstation Workstation Workstation Workstation Other ServerDomain Controller duosecurity.com 41
  • 42. Authentication In Windows Networks ‣ NTLM Authentication ‣ Kerberos ‣ ... duosecurity.com 42
  • 43. NTLM Authentication ‣ Challenge-Handshake Protocol ‣ Uses NTLM Hash of user’s password, not the password itself! ‣ One-way hash function ‣ No salting, no PBKDF2 ... ‣ Extremely pervasive in Windows ecosystems ‣ RPCs ‣ SMB mounts ‣ ... duosecurity.com 43
  • 44. Pass-The-Hash NTLM Authentication only requires the NTLM Hash! ‣ Gain local admin rights on a single workstation (somehow...) ‣ Extract NTLM Hashes ‣ Use them to compromise other machines in the network! Workstation Workstation Domain Controller Workstation Other Server duosecurity.com 44
  • 45. What About Smart-Cards? Public/Private Key-pair and Certificate stored on cryptographic hardware ‣ Private Key can “never” be extracted ‣ Authenticate by asking the smartcard to digitally-sign a value (basically, Challenge-Handshake) ‣ Windows can do Certificate-based user authentication Sounds much better, right? duosecurity.com 45
  • 46. What About Smart-Cards? “In order to support NTLM authentication [MS-NLMP] for applications connecting to network services that do not support Kerberos authentication, when PKCA is used, the KDC returns the user's NTLM one-way function (OWF) in the privilege attribute certificate (PAC) PAC_CREDENTIAL_INFO buffer ([MS-PAC] section 2.6.1).” - [MS-PKCA]: Public Key Cryptography for Initial Authentication (PKINIT) in Kerberos Protocol http://msdn.microsoft.com/en-us/library/cc238455.aspx duosecurity.com 46
  • 47. Evaluation Smart-cards still can help... ‣ Weak Passwords ‣ Shared Passwords between accounts / systems But Pass-The-Hash attacks can still be a threat! duosecurity.com 47
  • 49. Real-world ecosystems tend to have multiple, distinct authentication scenarios... ... passwords (or similar stored-secret authentication methods) are likely to continue to exist in some scenarios ... ...in each scenario, we must carefully balance privileges with trust duosecurity.com 49
  • 50. Authentication Scenarios and Trust Rights ‣ What is the maximum set of permissions that should be granted to a user? Integrity Level ‣ How strongly has a user / client authenticated? duosecurity.com 50
  • 51. 4. Amazon Web Services: Identity and Access Management (IAM) duosecurity.com 51
  • 52. Identity And Access Management (IAM) ‣ A single AWS account can have multiple users ‣ Flexible Rights-Expression Language, based on: ‣ Resources (e.g. EC2 Instances, DNS zones, ...) ‣ Actions (e.g. start instance, stop instance, ...) ‣ Other session context (e.g. client IP address, SSL usage, whether 2FA was used, ...) duosecurity.com 52
  • 53. IAM Policy Example { "Version":"2012-10-17", Statement: [{ "Action":["ec2:StopInstances","ec2:TerminateInstances"], "Effect":"Deny", "Resource":["*"], "Condition":{ "Null":{"aws:MultiFactorAuthAge":"true"} } }] } Deny specific actions if a user didn’t use 2-factor authentication duosecurity.com 53
  • 54. 2-Factor Authentication for API Clients Amazon Secure Token Service ‣ Provide API credentials and a one-time-passcode to a specific endpoint ‣ Get a new set of temporary credentials back duosecurity.com 54
  • 55. Evaluation AWS gives you all the tools to build strong, flexible authorization policies... ... but you have to actually build them! AWS is intended for developers (and other savvy types) duosecurity.com 55