What is OAuth?
The OAuth 2.0 framework has provided many applications and websites a tremendous opportunity to modernize their authentication and authorization via an open and trusted framework. OAuth is an open authorization standard or framework that is commonly used as a way for applications to grant websites or applications access to their information without sharing a password. For example, a common OAuth2 use case is using an existing Gmail account to register and/or log into a 3rd party website or application.
What are the Security Risks?
Like most technologies, OAuth2 integrations are not immune to abuse and have been increasingly involved in cyber attacks. This is likely due to the natural increase in cloud adoption and related technologies in recent years coupled with the sharp increase in remote workers due to Covid-19 pandemic.
A common attack vector is what is known as “Consent Phishing” that exploits user familiarity with O365 and likely current, or persistent, sessions.
According to Bleeping Computer, “Consent Phishing (also known as OAuth phishing) is an application-based attack variant where the attackers attempt to trick targets into providing malicious Office 365 OAuth apps with access to their Office 365 accounts.”
Once the victim unknowingly grants their account permissions to the malicious app, the attacker can now potentially access emails, contacts, files, as well as information stored on SharePoint or OneDrive. In extremely unfortunate situations, the victim has a privileged role and delegates tenant management permissions to the malicious app.
As an educational resource, IETF provides a more formal breakdown of OAuth 2.0 Security Best Practices.
How do we Mitigate the Related Risks?
The good news is that the related risks can be minimized and potentially mitigated by having a few fundamental and hygienic security controls and procedures in place.
Deploy an Email Security Gateway as a proactive measure against phishing.
Deploy Azure Identity management and access control security best practices.
Review, deploy, and educate users on the Azure Active Directory consent framework
Deploy Network Monitoring and response processes for egress user traffic to the Azure Active Directory application authorization URL endpoint. This can also provide meaningful KRIs to understand your risk exposure.
Audit existing applications and the consented privileges as part of your identity governance lifecycle.
How can Rapid Strategy Help?
Rapid Strategy aims to partner with you on your journey to provide fast and effective risk reduction strategies and controls to your environment. Rapid Strategy can quickly assess the state of your current cloud applications to provide you with a strategic and targeted risk-based IAM control advisory. Contact us to accelerate your cybersecurity.