Cybercriminals are increasingly abusing OAuth apps to launch attacks against enterprise businesses according to new research from Proofpoint.
For those unfamiliar, an OAuth app is an application that integrates with a cloud computing service and may be provided by a different vendor other than the cloud service provider. These apps can be used to add business features as well as user-interface enhancements to cloud services such as Microsoft 365 or Google Workspace.
In order for OAuth apps to work with cloud services, most of them request permission to access and manage user information and data as well as sign into other cloud apps on a user’s behalf. OAuth works over HTTPS and uses access tokens as opposed to a login credentials to authorize devices, APIs, servers and applications.
However, given the broad permissions these apps can have to an organization’s core cloud applications, they have become a growing attack surface and vector. Cybercriminals use a variety of methods to abuse OAuth apps including compromising app certificates which was used in the recent SolarWinds hack.
OAuth abuse
As OAuth apps can be easily exploited, attackers can use OAuth access to compromise and takeover users’ cloud accounts. To make matters worse, an attacker can still access a user’s accounts and data until an OAuth token is explicitly revoked.
Malicious applications or cloud malware use a number of tricks such as OAuth token phishing and app impersonation to manipulate account owners into consent. In 2020 alone, Proofpoint discovered more than 180 malicious applications and a majority of them were found to be attacking multiple tenants.
Bad coding or design is often responsible for making applications vulnerable to hostile takeover and in these cases an attacker will compromise the app’s assets or mechanisms instead of interacting with the target accounts themselves. One recent example occurred back in March of last year when it was discovered that sharing a GIF in Microsoft Teams could possibly result in an account takeover.
In a study of 2020 data, Proofpoint observed that 95 percent of organizations were targeted and 52 percent of organizations had at least one compromised account.
In order to avoid OAuth app abuse, the firm recommends that organizations actively govern OAuth apps, avoid storing plain text secrets and code signing keys, manage roles more carefully and look out for anomalies.