OAuth Exploitation: A Cloud-Native Attack

Issue link:

Contents of this Issue


Page 0 of 0

Common Misconceptions • #1: Changing passwords will address the issue • #2: Enabling multi-factor authentication will mitigate the risk • #3: OAuth-based attacks are Google-only Additional Cisco Security Solutions • Advanced Malware Protection • Next-Generation Firewalls • Next-Generation Intrusion Prevention Systems • Policy and Access • Web Security • Network Visibility and Enforcement OAuth Exploitation: A cloud-native attack DATA S H E E T OAuth: What is it? OAuth, or open standard for authorization, is a standardized way for internet accounts to link with third-party applications. It is universally adopted by almost all web-based applications and platforms – including consumer as well as enterprise applications such as Google Apps, Microsoft Office 365, Salesforce, and many others. As more businesses adopt cloud platforms, the employees authorize apps using their corporate credentials, giving these apps programmatic (API) access to their corporate data, introducing millions of back doors into corporate environments. OAuth Attacks OAuth is not a theoretical attack vector; it is currently being used as part of complex phishing attacks in the wild. In May, 2017, an attack targeting Google users went viral. The attack began with a simple email inviting targets to collaborate on a Google Document from a known contact. Once the targets clicked the "Open in Docs" link, they were redirected to a Google OAuth 2.0 page to authorize the "Google Docs" application, which was a fake application spoofing Google Docs. The application requested access to the targets' email and contacts, which provided an avenue to organically – and virally – expand. OAuth has also been used in multiple attacks by hacking groups such as "Fancy Bear"/Pawn Storm to attack targets including the U.S. Democratic National Committee and the campaign of French President-elect Emmanuel Macron. © 2017 Cisco and/or its affiliates. All rights reserved. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R) The Cisco Solution Permissions requested in real- world OAuth attack

Articles in this issue

Links on this page

view archives of Datasheets - OAuth Exploitation: A Cloud-Native Attack