Microsoft released its monthly round of Patch Tuesday updates to address 84 new security flaws spanning multiple product categories, counting a zero-day vulnerability that's under active attack in the wild.
Of the 84 shortcomings, four are rated Critical, and 80 are rated Important in severity. Also separately resolved by the tech giant are two other bugs in the Chromium-based Edge browser, one

Microsoft released its monthly round of Patch Tuesday updates to address 84 new security flaws spanning multiple product categories, counting a zero-day vulnerability that's under active attack in the wild.

Of the 84 shortcomings, four are rated Critical, and 80 are rated Important in severity. Also separately resolved by the tech giant are two other bugs in the Chromium-based Edge browser, one of which plugs another zero-day flaw that Google disclosed as being actively exploited in real-world attacks.

Top of the list of this month's updates is CVE-2022-22047 (CVSS score: 7.8), a case of privilege escalation in the Windows Client Server Runtime Subsystem (CSRSS) that could be abused by an attacker to gain SYSTEM permissions.

"With this level of access, the attackers are able to disable local services such as Endpoint Detection and Security tools," Kev Breen, director of cyber threat research at Immersive Labs, told The Hacker News. "With SYSTEM access they can also deploy tools like Mimikatz which can be used to recover even more admin and domain level accounts, spreading the threat quickly."

Very little is known about the nature and scale of the attacks other than an "Exploitation Detected" assessment from Microsoft. The company's Threat Intelligence Center (MSTIC) and Security Response Center (MSRC) have been credited with reporting the flaw.

Besides CVE-2022-22047, two more elevation of privilege flaws have been fixed in the same component — CVE-2022-22026 (CVSS score: 8.8) and CVE-2022-22049 (CVSS score: 7.8) — that were reported by Google Project Zero researcher Sergei Glazunov.

"A locally authenticated attacker could send specially crafted data to the local CSRSS service to elevate their privileges from AppContainer to SYSTEM," Microsoft said in an advisory for CVE-2022-22026.

"Because the AppContainer environment is considered a defensible security boundary, any process that is able to bypass the boundary is considered a change in Scope. The attacker could then execute code or access resources at a higher integrity level than that of the AppContainer execution environment."

Also remediated by Microsoft include a number of remote code execution bugs in Windows Network File System (CVE-2022-22029 and CVE-2022-22039), Windows Graphics (CVE-2022-30221), Remote Procedure Call Runtime (CVE-2022-22038), and Windows Shell (CVE-2022-30222).

The update further stands out for patching as many as 32 issues in the Azure Site Recovery disaster recovery service. Two of these flaws are related to remote code execution and the remaining 30 concern privilege escalation.

"Successful exploitation \[...\] requires an attacker to compromise admin credentials to one of the VMs associated with the configuration server," the company said, adding the flaws do not "allow disclosure of any confidential information, but could allow an attacker to modify data that could result in the service being unavailable."

On top of that, Microsoft's July update also contains fixes for four privilege escalation vulnerabilities in the Windows Print Spooler module (CVE-2022-22022, CVE-2022-22041, CVE-2022-30206, and CVE-2022-30226) after a brief respite in June 2022, underscoring what appears to be a never-ending stream of flaws plaguing the technology.

Rounding off the Patch Tuesday updates are two notable fixes for tampering vulnerabilities in the Windows Server Service (CVE-2022-30216) and Microsoft Defender for Endpoint (CVE-2022-33637) and three denial-of-service (DoS) flaws in Internet Information Services (CVE-2022-22025 and CVE-2022-22040) and Security Account Manager (CVE-2022-30208).

**Software Patches from Other Vendors**

In addition to Microsoft, security updates have also been released by other vendors since the start of the month to rectify several vulnerabilities, including —

*   Adobe
*   AMD
*   Android
*   Apache Projects
*   Cisco
*   Citrix
*   Dell
*   Fortinet
*   GitLab
*   Google Chrome
*   HP
*   Intel
*   Lenovo
*   Linux distributions Debian, Oracle Linux, Red Hat, SUSE, and Ubuntu
*   MediaTek
*   Qualcomm
*   SAP
*   Schneider Electric
*   Siemens, and
*   VMware

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Microsoft Releases Fix for Zero-Day Flaw in July 2022 Security Patch Rollout

Python's most popular package manager is intent on securing the supply chain by requiring developers to enable two-factor authentication.

As part of the push to mandate two-factor authentication for critical projects, the Python Package Index will distribute 4,000 Google Titan security keys to developers.

PyPI, the largest package manager for Python libraries and software components, has decided to mandate two-factor authentication for maintainers of "critical" Python projects. Two-factor authentication must be enabled for developers to be able to publish, update, or modify their projects. This requirement would protect developers from account takeovers as a result of stolen credentials. There have been numerous instances of supply chain attacks where attackers took over code repositories and hijacked software libraries and modules hosted on popular package managers.

The "critical" designation is assigned to any PyPI project accounting for the top 1% of downloads over the past six months. According to the dashboard published by PyPI, over 3,800 PyPI projects and 8,200 user accounts have been identified as critical. There are currently 28,336 users who have voluntarily enabled two-factor authentication.

"Ensuring that the most widely used projects have these protections against account takeover is one step towards our wider efforts to improve the general security of the Python ecosystem for all PyPI users," PyPI's administrators announced.

The decision to mandate two-factor authentication is an attempt to improve the supply chain security of the Python ecosystem and echoes a similar decision by GitHub to mandate two-factor authentication earlier this year. Recognizing that attackers are increasingly targeting libraries on npm, PyPI's JavaScript equivalent, GitHub auto-enrolled maintainers of the top 100 npm packages with two-factor authentication back in February.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

PyPI Mandates 2FA, Plans Google Titan Key Giveaway

A security issue was discovered in aws-iam-authenticator where an allow-listed IAM identity may be able to modify their username and escalate privileges.

**Hausler, Micah**

unread,

Jul 11, 2022, 6:40:08 PM (yesterday) Jul 11

to kubernete...@googlegroups.com, d...@kubernetes.io, kubernetes-sec...@googlegroups.com, kubernetes-se...@googlegroups.com, distributo...@kubernetes.io, kubernetes+a...@discoursemail.com

Hello Kubernetes Community,

A security issue was discovered in aws-iam-authenticator where an allow-listed IAM identity may be able to modify their username and escalate privileges. 

This issue has been rated **high** (https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N), and assigned CVE-2022-2385

**Am I vulnerable?**

Users are only affected if they use the AccessKeyID template parameter to construct a username and provide different levels of access based on the username.

**Affected Versions**

*   v0.5.2 - v0.5.8

**How do I mitigate this vulnerability?**

Upgrading to v0.5.9 mitigates this vulnerability.

Prior to upgrading, this vulnerability can be mitigated by not using the {{AccessKeyID}} template value to construct usernames.

**Fixed Versions**

*   aws-iam-authenticator v0.5.9

**Detection**

This issue affected the logged identity, and is not discernible from valid requests.

**Additional Details**

See the GitHub issue for more details: https://github.com/kubernetes-sigs/aws-iam-authenticator/issues/472

**Acknowledgements**

This vulnerability was reported by Gafnit Amiga from Lightspin

Micah Hausler

Principal Engineer

Amazon Web Services

CVE-2022-2385: [Security Advisory] CVE-2022-2385: AccessKeyID validation bypass

Whether data's in motion, at rest, or in use, confidential computing makes moving workloads to the public cloud safer, and can enhance data security in other deployments.

It's a question every enterprise faces: How comfortable do we feel moving sensitive data to the cloud, bearing in mind the associated security and privacy risks?

Though global cloud adoption is expanding rapidly, security and privacy remain top concerns. For example, the Cloud Security Alliance survey last year showed security and privacy to be the leading worry for 58% of 1,900 professionals involved in cloud deployments.

That is why inside many companies, tension continues to simmer between development shops that see the scalable, flexible public cloud as an ideal innovation engine and security gatekeepers whose risk intolerance has earned them a reputation as the Department of No.

But what if organizations could have greater assurance that their data is protected from hackers and other prying eyes? What if reluctance about moving sensitive data to the cloud was alleviated?

Such is the promise of an emerging shift in data security: confidential computing.

Confidential computing not only reassures enterprises about the safety of moving more of their workloads to the public cloud, it also can enhance data security in any type of deployment and offer a host of business benefits.

An explanation of what confidential computing is must start with a description of the three stages of the data life cycle.

**Data in Motion**

When users send data, it is encrypted while transmitting across networks. Whether the user is someone in a company sending data to the cloud or a consumer sharing their credit card information with an online retailer, that's true. Standardized encryption technologies such as TLS protect the data during its journey.

**Data at Rest**

This is the designation for passive data that is not being computed on and is sitting in storage — records in databases, files on hard disks, etc. Organizations use disk encryption and other security technologies to safeguard data at rest.

**Data in Use**

This is where data is computed-on in some way. To do that, data must first be moved from the hard disk into system memory — aka RAM — and become unencrypted. At this stage, data becomes vulnerable to compromise due to a potential vulnerability within the millions lines of code that comprise the cloud provider’s system software operating system, hypervisor, firmware, or a cloud administrator. This is a large attack surface, and this is what consumers who move their confidential data from an on-premises setup to a public cloud worry about.

Confidential computing is an extra layer of security that extends encryption protection to data during runtime. It achieves this by running workloads in isolated hardware-encrypted environments, or trusted execution environments, that prevent unauthorized access or modification of applications and data while in use.

This eases a set of potential security threats in moving data to the cloud, such as a hypervisor vulnerability allowing other virtual machines to leak private data, or a rogue cloud provider employee with access to a company's physical machine backdooring a workflow.

There's a lot of industry buzz about confidential computing for a few reasons. The first is obvious: The rising number of cyberattacks is spurring a need for better data security.

Second, technologies that enable confidential computing, such as security features in operating systems and on CPUs, have achieved industrial strength, as with AMD-SEV and Intel SGX.

Third, the major public cloud providers, in particular Google Cloud Platform and Microsoft Azure, have been beefing up their confidential computing capabilities.

A note on that third point: Though much of the discussion about confidential computing has centered on its usefulness in securing sensitive data as it moves to the public cloud, its advantages are equally compelling and relevant for protecting data in use in many more environments, namely edge and on-premises deployments.

The space keeps heating up. For example, in May, AMD announced new confidential computing virtual machines for Google Cloud.

Confidential computing also has the support of a project community at the Linux Foundation, with commitments from nearly 40 member organizations and contributions from several open source projects.

Confidential computing has significant real-world benefits. Take financial services, for example. In that industry, business processes such as anti-money laundering and fraud detection require financial institutions to share data with external parties.

With confidential computing, they can process data from multiple sources without exposing customers' personal data. They can run analytics on the combined data sets to, say, detect the movement of money by one user among multiple banks, without introducing security and privacy problems.

By unlocking data computing scenarios that weren't possible before, confidential computing should be an important security and privacy advance for years to come.

How Confidential Computing Locks Down Data, Regardless of Its State

PyPI is rolling out a 2FA requirement for maintainers of critical projects. 
The post PyPI starts rolling out required 2FA for important projects appeared first on Malwarebytes Labs.

The Python Package Index (PyPI) says it has begun rolling out a two-factor authentication (2FA) requirement which enforces maintainers of critical projects to have 2FA enabled to publish, update, or modify them. PyPI plays an important role in the Python developers’ ecosystem.

**Python repository**

PyPi is _the_ repository of software for the Python programming language. Python is a high-level, interpreted, general-purpose programming language. And it is a very popular language often used on servers to create web applications.

Many web developers, and others, use Python packages or add-on libraries from other developers as building blocks to develop their own projects. The Python Software Foundation (PSF) manages the PyPI repository where Python developers can get third-party developed open-source packages for their projects.

**Critical projects**

The projects rated as critical by the PSF are those that are in the top 1% of downloads. Maintainers of such projects should have received an email about the new requirement. The requirement will go into effect in the coming months. Based on the 1% rule, over 3,500 projects have received the critical designation.

The good news is that every project has the option to set 2FA as required. And, to ensure that maintainers of critical projects have the ability to implement strong 2FA with security keys, the Google Open Source Security Team has provided a limited number of security keys to distribute among critical project maintainers.

**The reason**

As you can imagine, unauthorized access to a project that many other depend on opens up the possibilities of a software supply chain attack. So, introducing the 2FA factor for critical projects decreases the possibility that someone might introduce malicious code into a popular project.

We have all seen the problems with Log4j. For those that missed it, Log4j is an open source logging library written in Java developed by the Apache Software Foundation. Millions of applications use it, and some of them are enormously popular, so the potential reach of this problem turned out to be enormous.

A similar problem that remains unresolved by these new requirements is the use of packages which are purposedly named after popular projects to confuse users into downloading a malicious version.

**Mixed feelings**

As you would expect on Twitter, there are some mixed feelings among those impacted by this new requirement. Ranging from developers saying goodbye to their popular project to those wondering why 2FA wasn’t already mandatory in the first place.

For all those with unanswered questions, PyPI has put up a FAQ about the 2FA implementation, along with the key giveaway.

PyPI starts rolling out required 2FA for important projects

The new open source security-as-code platform will help developers and security teams automatically detect security policy violations across the organization's cloud infrastructure.

As more organizations migrate their data, applications, and workloads to the cloud, securing the infrastructure remains a challenge. Security teams don't always know exactly what is happening within each cloud environment, making it difficult to detect when security policies are being violated.

That's the problem Paladin Cloud aims to solve with its security-as-code platform.

Paladin Cloud’s platform is intended to help developers and DevOps teams safeguard their applications and data, both in testing and production. It accomplishes this goal by providing teams with full visibility into the organization's various cloud services and systems. The platform includes a plug-in-based architecture that helps developers connect to and ingest data from sources including code repositories, threat intelligence systems, container scanning, API gateways, and cloud-based enterprise systems such as Kubernetes.

Supported vendor systems include Qualys Vulnerability Assessment Platform, Bitbucket, Trend Micro Deep Security, Tripwire, Venafi Certificate Management, and Red Hat. Security teams can write rules based on data collected by these plugins to get a complete picture of the organization's cloud security posture.

"The platform discovers assets, evaluates policy, creates issues for policy violations, and prioritizes remediation," according to a page on Paladin Cloud's GitHub repository. If fixes for policy violations have already been defined, then the platform can go ahead and execute those actions to remediate the issues. This way, the platform provides automatic detection and remediation of violations, such as unauthorized access, misconfigured systems, and insecure APIs.

Organizations can also take advantage of the platform's extensible policy management to oversee hybrid clouds, where the data and applications are hosted on both public and private infrastructure.

Paladin Cloud lists various out-of-the-box features on its GitHub page, including continuous asset discovery, ability to search all discovered resources, custom policies and custom auto-fix actions, dynamic asset grouping to view compliance, exception management, OAuth2 support, and role-based access control.

The platform is now generally available for Amazon Web Services, Google Cloud, and Microsoft Azure. Along with announcing the platform's availability, the company announced a $3.3 million seed financing round.

Paladin Cloud Launches New Cloud Security and Governance Platform

"HavanaCrypt" is also using a command-and-control server that is hosted on a Microsoft Hosting Service IP address, researchers say.

Threat actors are increasingly using fake Microsoft and Google software updates to try to sneak malware on target systems.

The latest example is "HavanaCrypt," a new ransomware tool that researchers from Trend Micro recently discovered in the wild disguised as a Google Software Update application. The malware's command and-control (C2) server is hosted on a Microsoft Web hosting IP address, which is somewhat uncommon for ransomware, according to Trend Micro.

Also notable, according to the researchers, is HavanaCrypt's many techniques for checking if it is running in a virtual environment; the malware's use of code from open source key manager KeePass Password Safe during encryption; and its use of a .Net function called "QueueUserWorkItem" to speed up encryption. Trend Micro notes that the malware is likely a work-in-progress because it does not drop a ransom note on infected systems.

HavanaCrypt is among a growing number of ransomware tools and other malware that in recent months have been distributed in the form of fake updates for Windows 10, Microsoft Exchange, and Google Chrome. In May, security researchers spotted ransomware dubbed "Magniber" doing the rounds disguised as Windows 10 updates. Earlier this year, researchers at Malwarebytes observed the operators of the Magnitude Exploit Kit trying to fool users into downloading it by dressing the malware as a Microsoft Edge update.

As Malwarebytes noted at the time, fake Flash updates used to be a fixture of Web-based malware campaigns until Adobe finally retired the technology because of security concerns. Since then, attackers have been using fake versions of other frequently updated software products to try to trick users into downloading their malware — with browsers being one of the most frequently abused.

Creating fake software updates is trivial for attackers, so they tend to use them to distribute all classes of malware including ransomware, info stealers, and Trojans, says an analyst with Intel 471 who requested anonymity. "A non-technical user might be fooled by such techniques, but SOC analysts or incident responders will likely not be fooled," the analyst says.

Security experts have long noted the need for organizations to have multi-layered defenses in place to defend against ransomware and other threats. This includes having controls for endpoint detection and response, user and entity behavior-monitoring capabilities, network segmentation to minimize damage and limit lateral movement, encryption, and strong identity and access control -- including multi-factor authentication. 

Since adversaries often target end users, it is also critical for organizations to have strong practices in place for educating users about phishing risks and social engineering scams designed to get them to download malware or follow links to credential harvesting sites.

**How HavanaCrypt Works**

HavanaCrypt is .Net malware that uses an open-source tool called Obfuscar to obfuscate its code. Once deployed on a system, HavanaCrypt first checks to see if the "GoogleUpdate" registry is present on the system and only continues with its routine if the malware determines the registry is not present.

The malware then goes through a four-stage process to determine if the infected machine is in a virtualized environment. First it checks the system for services such as VMWare Tools and vmmouse that virtual machines typically use. Then it looks for files related to virtual applications, followed by a check for specific file names used in virtual environments. Finally, it compares the infected systems' MAC address with unique identifier prefixes typically used in virtual machine settings. If any of checks show the infected machine to be in a virtual environment, the malware terminates itself, Trend Micro said.

Once HavanaCrypt determines it's not running in a virtual environment, the malware fetches and executes a batch file from a C2 server hosted on a legitimate Microsoft Web hosting service. The batch file contains commands for configuring Windows Defender in such a manner that it allows detected threats. The malware also stops a long list of processes, many of which are related to database applications such as SQL and MySQL or to desktop applications such as Microsoft Office.

HavanaCrypt's next steps include deleting shadow copies on the infected systems, deleting functions for restoring data, and gathering system information such as the number of processors the system has, processor type, product number, and BIOS version. The malware uses the QueueUserWorkItem function and code from KeePass Password Safe as part of the encryption process.

"QueueUserWorkItem is a standard technique for creating thread pools," says the analyst from Intel 471. "The use of thread pools will speed up encryption of the files on the victim machine."

With KeePass, the ransomware author has copied code from the password manager tool and used this code in their ransomware project. "The copied code is used to generate pseudorandom encryption keys," the analyst notes. "If the encryption keys were generated in a predictable, repeatable way, then it might be possible for malware researchers to develop decryption tools."

The attacker's use of a Microsoft hosting service for the C2 server highlights the broader trend by attackers to hide malicious infrastructure in legitimate services to evade detection. "There is a great deal of badness hosted in cloud environments today, whether it's Amazon, Google, or Microsoft and many others," says John Bambenek, principal threat hunter at Netenrich. "The highly transient nature of the environments makes reputation systems useless."

Fake Google Software Updates Spread New Ransomware

Google is providing Titan Security Keys to maintainers of projects in top 1% of downloads

Adam Bannister 11 July 2022 at 15:56 UTC

Google is providing Titan Security Keys to maintainers of projects in top 1% of downloads

The Python Package Index (PyPI) is rolling out two-factor authentication (2FA) for “critical projects” in the form of physical security keys.

Mindful of the growing threat to software supply chains, the repository is distributing 4,000 Titan Security Keys to qualifying maintainers, who can redeem a promo code for two free keys, either USB-C or USB-A.

The Google Open Source Security Team, a sponsor of the Python Software Foundation that maintains PyPI, has provided the keys.

All maintainers of critical projects will have to log into their accounts using the keys in addition to a password, a requirement that “will go into effect in the coming months”, according to an announcement on the PyPI website.

**The top 1%**

Projects are deemed ‘critical’ if they are among the top 1% of PyPI projects by numbers of downloads over the prior six months.

That means that around 3,500 of roughly 350,000 PyPI projects will qualify.

And “once the project has been designated as critical it retains that designation indefinitely”, said the Python Software Foundation.

Titan hardware keys are only approved for sale, and can therefore only be distributed to, Austria, Belgium, Canada, France, Germany, Italy, Japan, Spain, Switzerland, the UK, and the US.

Catch up on the latest open source security news

Maintainers of critical projects in non-eligible regions can either independently purchase an alternative FIDO U2F security key such as Yubikey or Thetis, or enable 2FA via a TOTP application.

However, PyPI warned that “using security keys via WebAuthn is generally considered to be more secure than using TOTP-based authentication applications for 2FA”.

The move follows a similar commitment made by the RubyGems code repository last month that was applicable to maintainers of gems with more than 165 million downloads.

GitHub also announced last month that 2FA would be made mandatory for all code contributors by the end of next year, while NPM is initially making 2FA mandatory for its top 100 Node.js package maintainers, with a broader rollout already underway.

RELATED RubyGems trials 2FA-by-default in code repo’s latest security effort

PyPI repo to distribute 4,000 security keys to maintainers of ‘critical projects’ in 2FA drive

In mutt_decode_uuencoded(), the line length is read from the untrusted uuencoded part without validation. This could result in including private memory in replys, for example fragments of other messages, passphrases or keys.

    mutt: mutt_decode_uuencoded() can read the past the of the input lineIn mutt_decode_uuencoded(), the line length is read from the untrusted uuencoded part without validation. This could result in including private memory in replys, for example fragments of other messages, passphrases or keys.Reproduce with the following mbox, note that these are literal 0x9f bytes. This should show some uninitialized garbage in the message.From taviso  Thu Mar 31 16:53:55 2022From: tavisoSubject: mutt_decode_uuencoded testContent-Disposition: inlineContent-Transfer-Encoding: x-uuencodeContent-Type: text/plainbegin 644 test<9f>M2&5L;&\\L\"@I)9B!Y;W4@87)E(')E861I;F<@=&AI<R!M97-S86=E(&EN(&UUM='0L('1H92!N97AT(&QI;F4*<VAO=6QD(&-O;G1A:6X@9V%R8F%G92X*\"@H*<9f>54&QE87-E(')E<&QY+`I4879I<RX*`end.This bug is subject to a 90-day disclosure deadline. If a fix for thisissue is made available to users before the end of the 90-day deadline,this bug report will become public 30 days after the fix was madeavailable. Otherwise, this bug report will become public at the deadline.The scheduled deadline is YYYY-MM-DD.Related CVE Numbers: CVE-2022-1328.Found by: taviso@google.com

Mutt mutt_decode_uuencoded() Memory Disclosure

Single-click account takeovers are made possible by taking advantage of quirks in OAuth

Single-click account takeovers are made possible by taking advantage of quirks in OAuth

It is possible to perform single-click account hijacking by abusing the OAuth process flow, a security researcher has found.

OAuth, also known as Open Authentication, is a framework for managing identities and securing online areas across third-party services. Rather than leverage an account username and password combination, for example, service providers can utilize OAuth to provide temporary and secure access tokens.

However, in some scenarios, attackers can abuse OAuth implementations to steal these tokens and perform one-click account hijacking.

**Dirty dancing**

On July 6, Frans Rosén, Security Advisor at Detectify, walked us through several potential attack vectors and how organizations can mitigate the risk of compromise.

Rosén describes these scenarios as “dirty dancing”. Attackers can abuse OAuth ‘dances’ – their authentication processes and how they manage communication between a browser and service provider – by combining response-type switching, invalid states, and redirect URI programming “quirks” to steal user information such as authorization codes or tokens.

**RECOMMENDED** Node.js fixes multiple bugs that could lead to RCE, HTTP request smuggling

Browser developers, including Google and Mozilla, have worked hard in recent years to destroy any potential pathways to cross-origin referer leaks and cross-site scripting (XSS) attacks.

However, as highlighted in MITRE’s latest 2022 Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Weaknesses list, made public at the end of June, these attacks are still common and a threat to users worldwide.

**Abusing the sign-in flow**

The solutions implemented by browsers to reduce the risk of these attacks includes Content Security Policy (CSP) and Trusted Types, which allow the software to reject data values that could lead to DOM XSS and credential hijacking.

However, the researcher says that OAuth’s sign-in flow, used by companies including Slack, Facebook, and Twitter, can potentially be ‘broken’ for the same impact.

**RELATED** CWE Top 25: These are the most dangerous software weaknesses of 2022

It should be kept in mind these types of attacks aren’t easy to perform and, as Rosén says, involve a ‘grind’ involving an examination of source code and a knowledge of how OAuth’s dances work.

**Breaking the chain**

To steal tokens, an attacker must first break the chain between the system issuing tokens and a service provider consuming them.

This can be achieved by changing the state-value in use through a specially crafted link, sent to a potential victim as a sign-in page, but which uses the valid state of the attacker.

Once a victim has signed in and is redirected back to a website, the ‘dance’ is interrupted, as there is no valid state for the user. The user will then be shown an error message, and if the attacker is able to leak data and URLs from the error page, the researcher says that the threat actor “can now sign in with their own state and the code leaked from the victim”.

Read more of the latest hacking news

It can also be possible that response-type, response-mode switching, and redirect-uri path abuse could be used to intercept connections and cause unexpected behavior, although changing these pathways is difficult.

“In a proper OAuth-dance using code, in the last step to acquire the access token from the service provider, the must also be provided for validation to the service provider,” Rosén explains.

“If the that was used in the dance is mismatching the value that the website sends to the provider, no access token will be issued.”

**One-click hijack**

The researcher tested out different attack methods and achieved one-click hijacking. One exploit involving Apple OAuth sign-in was reported on May 12.

There are other quirks that attackers can also exploit to compromise OAuth and grab leaked URLs. These include performing an XSS attack on the third-party domain that receives URL data during authentication and abusing APIs intended for fetching URLs. Domains without sufficient origin checks, for example, may be at risk of exploitation.

“Due to the fact that each OAuth provider allows so many different response types and modes, it becomes quite tricky for a website to cover all different cases,” Rosén says.

To mitigate the risk of attack, the researcher recommends reviewing the OAuth 2.0 Security Best Current Practice guide, making sure that pages rendered for OAuth’s authorization response do not contain third-party resources or links, and users should also consider only allowing limited OAuth response-types and modes.

“You might not use any vulnerable third-party scripts today, but if anyone in your organization introduces anything new through Google Tag Manager or similar, or if the third-party scripts change, you can prevent any future potential token leakage,” Rosén commented.

**DEEP DIVES** Decentralized Identifiers: Everything you need to know about the next-gen web ID tech

Tag

#google