Oauth client secrets hardcoded
Categories
(Thunderbird :: Security, defect)
Tracking
(Not tracked)
People
(Reporter: frida, Unassigned)
Details
(Keywords: dupeme)
Link: https://hackerone.com/reports/1998565
Date: 2023-05-23 23:15:53 UTC
By: bhavyakaushal219
Weakness: Cleartext Storage of Sensitive Information
Details:
Summary:
I found Mozilla Oauth client secrets hardcoded (along with client IDs, authorization endpoints, and token endpoints) through Github code search for 7 Oauth2 service providers - Google, yahoo, yandex, aol, microsoft etc.. The code is 3 months old (and the client secret expirations can be as long as 24 months) and the comment says that the client secrets are hardcoded till the point dynamic client registration gets implemented. So I am not a 100% sure this is valid (incase dynamic registration is started and the client secrets have been changed).
Incase these secrets are still active, an attacker can make use of these to impersonate as Mozilla, create a phishing site for users and ask them to authenticate and get access to their information through the Oauth providers. If the users get phished and provide approval to the resources and scope, thinking the attacker site as legitimate mozilla site, the Oauth providers will grant the user account information on verifying the auth token (or access token), client id and client secret. In this case, Mozilla would be responsible for leaking their client secrets and Oauth providers will assume that Mozilla application is requesting for the user account information, bypassing the initial security checks (if any) that they make before granting client secrets to new applications that register.
Steps To Reproduce:
- Click on the following link to see the leaked code : https://github.com/mozilla/releases-comm-central/blob/a78a6270ad9b426c60161df848a65407c946ac7f/mailnews/base/src/OAuth2Providers.jsm#L92
Supporting Material/References:
F2370649
F23
Reporter | ||
Updated•2 years ago
|
Reporter | ||
Comment 1•2 years ago
|
||
##Impact
An attacker can perform the following actions on the behalf of victim user because of the leaked Oauth client secrets that belong to Mozilla. -
- Read, Compose, Send, and permanently delete all of user's emails from gmail account.
- See, edit, download and permanently delete user's contacts linked with Google.
- See, edit, share and permanently delete all the calendars accessible by Google calendar.
I have created a video demo {F2372098} to demonstrate the same. In the video, I have fetched basic user profile information, list of emails (Ids) and then fetched the content of the first email from that list. Email Ids are shown as an array in the end.
I can further fetch more emails or even delete / compose emails (or take actions on Calendar / User Contacts as listed above) using the access token granted because of the mozilla Oauth credentials. Let me know if you want me to perform any of those actions.
##Attack Scenario
An attacker can use the Mozilla Oauth credentials to create a phishing site that impersonates Mozilla and lure victims to sign in. The Google sign in pages clearly state that the sign in is being performed for Mozilla Thunderbird and that the permissions requested are on Mozilla's behalf. In the application, once a user logs in, they see a "Sign in with Google - Choose an account" page that states in bold "to continue to Mozilla Thunderbird Email". (This is because I have hardcoded the Oauth credentials of Mozilla (that are leaked through Github), which the application uses to further complete the Oauth flow and get the permissions, and access the user information.) Once the User selects their gmail account, they are redirected to a page where Google requests for permissions on behalf on Mozilla Thunderbird. The permissions (requested as scope in the application) are critical in nature.
The likelihood of users granting permissions is significantly higher as the user sees that Google is requesting access on the behalf of Mozilla Thunderbird.
##Steps to Reproduce
To demonstrate the impact, I created a simple application with login and logout functionality. In real life, an attacker would make this application to be a replica of Mozilla to phish all the victims.
- Download the Mozilla Attack Script php file the attachments. {F2372224}
- Install a XAMPP server (or similar server) and host the file on localhost. (IMP - The file needs to definitely be hosted on localhost only to bypass the Redirect_uri validations).
- Click on the Login button > Choose Gmail account > Grant permissions > You will see the user data extracted by google APIs using the Oauth Access token.
##Severity
I believe the severity of this is much higher that I initially anticipated because I wasn't sure that the Client secrets are still valid.
Considering the critical nature of actions the attacker can take (Deleting user data, stealing sensitive information from user (such as sensitive emails), sending fake emails from victim's id, etc.), I think this issue is of High severity.
Kindly let me know if you need anything further from my end.
Best Regards,
Bhavya
Comment 2•2 years ago
|
||
It's expected that OAuth2 credentials can be seen. They are not really secrets and cannot (really) be hidden.
Comment 3•2 years ago
|
||
This report is invalid because client secrets do not allow anyone to take action on behalf of any user, not without that user logging in with their own login info on your own app or site. They could allow "impersonating" Thunderbird, in theory, but there's no practical way to prevent this and any client-side oAuth application, mobile or desktop, can be spoofed this way.
oAuth flows that even have client secrets at all probably shouldn't be used by native clients, but I don't know if anyone other than Microsoft have implemented alternatives yet.
I don't think there is a dupe of this, I think last time it was reported it was just by email and didn't make it into a bug. Could be wrong though.
Updated•2 years ago
|
Description
•