New Vulnerability Allows Hackers to Hijack Google Accounts
According to Sudhanshur's writeups, the vulnerability works by modifying the "response_type" parameter during the OAuth flow, which tricks the authorization server into returning an access token directly to the client. To be noted that, normally access tokens are not revealed to clients for security reasons. By leaking the access token, an attacker can gain full access to the victim's Google account.
The researcher found a cross-site scripting (XSS) vulnerability on a website's login page that allowed them to execute malicious JavaScript. By combining the XSS with the OAuth attack, they could steal the access token and take over the user's Google account.
To exploit this, the attacker first modifies the OAuth request to include "response_type=code,id_token" instead of just "code". This makes the OAuth server return the ID token in addition to the authorization code. The ID token contains sensitive information like the access token.
When the victim logs in through Google Sign-In, the malicious JavaScript runs in their browser and steals the ID token from the callback URL. The attacker can then extract the access token and use it to access the victim's Google account.
This attack highlights the dangers of improperly implemented OAuth and XSS vulnerabilities. All websites using OAuth Sign-In should update their configurations to prevent access tokens from leaking. Developers must also be vigilant about sanitizing user input to prevent XSS.
Users should be cautious about logging in through public Wi-Fi or untrusted devices, as an attacker could leverage this vulnerability to steal credentials. Enable two-factor authentication on important accounts for an extra layer of security.
This vulnerability serves as an important reminder to secure OAuth implementations and sanitize user input. Developers and security teams should review their code and configurations to protect users from account takeover attacks.