this post was submitted on 17 Jan 2024
5 points (66.7% liked)

netsec

1313 readers
1 users here now

Technical news and discussion of information security.

Rules:

  1. Be excellent to each other
  2. Keep it on topic
  3. Absolutely no PII or doxing
  4. No disclosure posts

founded 2 years ago
MODERATORS
t8r@lemmy.world
5
As if you needed another reason not to ever use SSO to your Google account for anything (mbin.grits.dev)
submitted 2 years ago by mozz@mbin.grits.dev to c/netsec@lemmy.world
11 comments fedilink hide all child comments
 

For some reason this only just now occurred to me: What's to stop some web site from carefully crafting an imitation of the Google "you need to sign in again" UI, storing your Google password, and storing from the other side the auth cookie from Google, so that it can then poke around through 100% of your Google content including any other site you've signed into with the same SSO login?

This is such a fundamental flaw in the whole concept that it's obviously occurred to people and they've had time to come up with something to prevent it, but I can't see how you could prevent it. Have I missed something? You might have a non-Google URL in the address bar during the faked sign-in, or you could use varying degrees of deception to attempt to make the address bar look legit, but I'd honestly be surprised if more than 20% of people even check the address bar every time they sign in to SSO. I don't.

So what's to make this not work?

you are viewing a single comment's thread
view the rest of the comments
[–] mozz@mbin.grits.dev 1 points 2 years ago (1 children)

Can I set up a web site and ask you to go do your Google SSO on it? I promise it's legit

[–] BradleyUffner@lemmy.world 1 points 2 years ago (1 children)

I'll take a look at your site, I'm curious to see what it looks like, but I'm not entering any real credentials.

[–] mozz@mbin.grits.dev 2 points 2 years ago (1 children)

I thought you were extremely confident that what I was describing wouldn't work though 🙂

[–] BradleyUffner@lemmy.world 2 points 2 years ago* (last edited 2 years ago) (1 children)

I'm confident there will be some sign that it's a forged OAuth prompt rather than Google's prompt, and I'm not entering credentials into an obviously fake prompt.

[–] mozz@mbin.grits.dev 2 points 2 years ago

Well, that's lucky, because I don't want to sign up for OAuth tokens with Google and then immediately start doing something nefarious with them just to prove a point. 🙂

I looked around a little though, and I was able to find an example of this technique being used for real maliciously "in the wild." My envisioning of it was somewhat different (overriding or obfuscating the URL bar in a real window showing malicious HTML, as opposed to constructing an entire fake window), but the principle's pretty much exactly the same.

I also learned that Google's response, after some not-real-similar attacks which also exploited doing nasty things with real OAuth vendor credentials, was to tighten up a lot on their security on who can have OAuth vendor credentials (which sounds like a pretty sensible approach to me.)