2023-06-29, 14:50–15:35 (Europe/Oslo), Smolarz
We dove into the world of OAuth (open standard for authorization and authentication) and its various implementations. By applying advanced attack techniques, we managed to gain control of accounts on popular applications and websites – household brand names – each with more than 100 million users.
At the end of the day, our research gave us (potential) access to one billion accounts.
Our OAuth (open standard for authorization and authentication) research delved into the world of OAuth and its implementation vulnerabilities.
Multiple OAuth research projects have brought to light significant security issues in the past, leading some to assume that OAuth has improved its security measures since then. However, the question remains - How well-secured OAuth really is in 2023?
By utilizing various modern attack techniques, we gained control of accounts on popular applications and websites - household brand names - each with over 100 million users, in some cases including a framework that serves dozens of other sites.
Despite the targets' awareness of OAuth and security measures, we were able to bypass every mitigation and exploit a different kind of vulnerability in every target.
At the end of the day, our research gave us (potential) access (Account takeover) to one billion accounts. It is reasonable to assume that a large portion of the audience in the lecture are using at least one of the websites that we will mention.
In the presentation, we will share our research methodology for approaching websites and applications from a hacker perspective - our mindset, how to set new goals, what to look for, and more.
We will break down the difficulties of integrating OAuth, share the common missteps we have identified, and present advanced techniques not revealed in any lecture before – all based on real-world use cases.
As a senior security researcher at Salt Security, Aviad brings a wealth of knowledge and experience in the field of security research.
At the age of 15, he demonstrated his passion for security research by obtaining his first Root and CVE. Since then, he has continued to hone his skills and has become a recognized expert in the field.
In addition to his work in security research, Aviad is also passionate about teaching. He created, wrote and taught the Reverse Engineering and Vulnerabilities course at the Technion's computer science faculty for five years, all while he was a student himself.