The Increasing OAuth Phishing Threat

OAuth Phishing Threat
OAuth Phishing Threat

OAuth Phishing Threat

People are gradually growing more careful about phishing schemes that impersonate websites and ask for their passwords. But what if they don’t have to give a password to let an unauthorised party get at their data? That’s exactly what happened in a recent phishing campaign aimed at Google users. Hard numbers aren’t available on how many people were affected, but Google said the number was “fewer than 0.1% of Gmail users,” which could be as many as a million.

The Google Docs spoof

People received a message on their Gmail accounts, usually from an address they knew, asking them to open a “Google Doc.” If they did, it asked them to give Google Docs certain permissions, including permission to “read, send, delete, and manage your email.” No password confirmation was necessary, since the victim was already logged in. The only trouble was that the application wasn’t Google Docs but a malicious lookalike web app.

If the victim gave permission, the attacker could then use the account to send the same email to the victim’s contacts. This could have spread without limit if Google hadn’t promptly shut the application down.

The deception took advantage of design and implementation weaknesses in the widely used OAuth2 specification, which allows one Web application privileged access to another. Researchers had warned in 2011 that this kind of spoofing was possible, creating a proof-of-concept application. The 2017 attack may have drawn directly on that code.

What made the attack plausible

A combination of design issues with OAuth, social factors, and implementation choices by Google made the spoofing plausible to anyone without a strong understanding of security issues. The application was in fact hosted on Google, which lets users develop applications for public use. It was a reasonable imitation of Google Docs; the URL was wrong, but it was a Google URL. The mail came from trusted accounts.

The application was called “Google Docs.” Until very recently, Google didn’t prevent user applications from using its name. It still doesn’t provide any warning when an application making this type of request isn’t under Google’s control.

There’s no good reason Google Docs should ask for access to the user’s Gmail account, but people are used to wildly excessive requests for authorization. Websites that let your account connect to a LinkedIn account often ask for permission to post on your behalf. Most people apparently grant it without worrying.

OAuth Phishing Threat

The trouble with OAuth

The deeper problems, which aren’t restricted to Google, lie in the OAuth standard. It’s an authorization system which is weak on authentication. Without strong protections, it makes it easy to trick users into giving untrustworthy applications access to their private data.

In brief, OAuth2 lets a client application request permissions from a server. Only authorized applications can make requests. An application that’s allowed to use OAuth receives a client ID, which is public information, and a client secret (or key), which is confidential.

When the client app invites the user to give it permission, it redirects the user to a server URL. The server will inform the user of the request and give a choice of denying or allowing authorization. If the user allows it, the server redirects back to the client and sends an authorization code, which the client has to retain for as long as it wants to keep the permission. This could be just for a session or permanent. The server can limit its duration.

An obvious problem with this arrangement is that the server needs to trust a client over which it has no control. The client might be trustworthy at the time it gets permission, but a change of policy or a malware infection could change that. Theoretically, users should trust only applications in which they have very high confidence, but many people are far too trusting. The organization operating the server needs to carefully limit the clients it will give access to.

A poor implementation lets a client pretend to be a trusted application. The server has some control over this, since it knows what application is making the request, but it may or may not make it obvious to the user. If it just displays the application’s self-selected name, that’s weak protection.

Users who authorize a rogue application may not even realize there’s a problem. Google and other sites that use OAuth normally make a list of authorized applications available to the user and allow revocation, but it’s buried somewhere in the user settings.

Future risks

It’s a lucky thing that the Gmail attack apparently did little damage. One thing Google did right was to catch the rogue application and revoke its credentials within an hour. We can be sure others will try similar tricks, sometimes with services that don’t react so quickly. Any organization that uses OAuth to grant third-party applications access to its site should review its implementation and policy to make sure it isn’t vulnerable.

The most important precaution is to screen applicants for credentials carefully. A lot of users will give permission to any application that seems to do something useful, so it isn’t enough to trust them to exercise discretion.

Even if what an application currently does is legitimate, the applicant’s reputation needs to be good enough that it isn’t likely to misuse its authorization in the future. Clients should be periodically reviewed to make sure they still deserve trust. If there’s any sign they don’t, it’s important to follow up quickly and, if necessary, revoke authorization. Even an honest organization could have its credentials stolen or its code infected.

The organization should think carefully about what kinds of access it should authorize. The power to speak for the user can be used for fraudulent purposes. The power to read private data could allow theft of secrets. There needs to be a convincing case that the benefits from the application justify the risks.

Authorizing third-party applications can greatly increase the value of a service, but it carries serious responsibility. Anyone who implements it needs to be aware of its dangers and make choices that minimize the chances of abuse.

If you’re concerned with the security of your planned website, OrangeWebsite will provide hosting that will satisfy  your needs. Contact us to learn more.

UK’s Internet Troll Policy: A threat to Freedom of Speech or a Better Protection for Individuals?

An image of a man's mouth sealed with 'freedom' note

Freedom of Speech is a serious matter. United Kingdom however are trying to, via new online laws, protect individuals who has felt threatened through social media. Will it violate Freedom of Speech?

The United Kingdom recently introduced new sentencing measures for Internet trolls found guilty of sending threatening or abusive messages online. However, many worry the new legislation may infringe on the civil liberties and freedom of speech of those simply expressing their opinions in an emphatic manner. The new legislation will allow serious offenses to be decided by the Crown Courts with a maximum sentence of 24 months, four times the previous standard sentence. Currently, these offenses are handled by local magistrates.

Why the Harsher Sentences?

The increase in penalties for internet trolls is directed at those who threaten to rape or kill through online communication. The threatening of celebrities and other high-profile figures has brought the issue to the forefront. For example, Chloe Madeley, the daughter of UK talk show host Judy Finnegan, recently received threatening tweets after she defended her mother’s comments about a rape case involving a footballer. Lawmakers feel the stiffer sentencing is warranted because “we would not permit such venom in person,” stated Justice Secretary Chris Grayling.

Concerns over Freedom of Speech

Although no one is defending online rape and death threats, experts warn that the new law could punish those that are simply expressing criticism. The legislation lacks balance in differentiating between abusers and those expressing their opinion. These concerns are not far-fetched. Even without the new maximum sentences, there have been cases where authorities have prosecuted people under the Public Order Act for questionable reasons.

For example, the 2012 case of Paul Chambers hinged on what he thought was a joke. After realizing the Robin Hood Airport was closed due to weather, he tweeted, “Crap! Robin Hood airport is closed. You’ve got a week and a bit to get your [expletive] together otherwise I’m blowing the airport sky high!!” He was convicted by a district judge and two judges upheld the conviction on appeal. A high court ultimately reversed his conviction, but not before he lost two jobs and spent the better part of two years engaged in his legal battle.

Many civil-liberties experts assert that true threats to an individual’s safety should be pursued through harassment laws, not communication legislation that can potentially infringe on the rights of those vehemently expressing their opinion or making what they think is a joke. Advocates for freedom of speech are concerned about comments from legislators like former Conservative MP Edwina Currie who stated that “people should learn to show restraint when making online comments.” While “showing restraint” may be an admirable goal, and direct threats should be taken seriously, who knows how slippery this slope is?

OrangeWebsite’s professionals closely monitor freedom of speech laws and cases around the world. We’ll closely watch the results of this legislation as it makes its way through Parliament. Contact us to learn more about our services.

How Safe are your Personal Data in Modern Online Society?

An image of hand writing 'online privacy' with black marker on transparent wipe board.

There is nothing wrong in being cautious when submitting your Personal Data on the Internet.

Facebook and Google are two of the biggest names on the internet today. What lots of people don’t know is how these websites who don’t sell anything can possibly make so much money.

The answer is advertising. But it goes a little bit deeper than that.

How Deep Does It Go?

The commodity that both Facebook and Google have in common is you, the users. These websites pay attention to the things that you like and dislike, which allows them to tailor ads to fit your taste and then to put those ads in bold colours right on your screen. That’s how these companies earn billions of dollars revenue annually: by working with companies to make sure you see the right ads that persuade you to go and buy their products.

Shouldn’t I Get Some Privacy on The Internet?

Lots of people wonder whether tracking their internet activity isn’t a violation of their privacy. The issue is that by using these services you’ve already given your consent for the sites to log and use most of your information.

You know those long, complicated user agreements that most of us just pass right over so we can finish setting up our accounts? If you read Facebook’s a little more carefully you find all sorts of things. For instance, if you don’t opt out of their advertising program then your name and profile image can be used to promote ads for pages you’ve liked. Additionally, information about your online activity can be sold, provided Facebook doesn’t give your name or other, more personal information out. What you like and the events that get your attention is all fair game.

While Facebook is a huge source of information, Google might be called the king of data mining. The search engine analyses what’s sent over Gmail and searched for on Google in order to determine what is trending at the moment. This information is then used to target ads and to try and get client products in front of a buying audience.

So What’s The Big Deal?

Data mining is primarily used for sales and advertising, but it can be used for more than that. Data mining can create a digital profile that makes it possible to assess job candidates, whether someone should be awarded custody of his or her children, or even (if some apps are to be believed) if someone is cheating on their spouse.

That’s the big deal regarding data mining, and Google and Facebook are at the forefront of the practice. It’s why many people who have realized how exposed social networking makes them have opted to share less and less of their information with the online community as well as the corporations who run it. It’s hard to maintain their privacy, but one of the chief methods they use is by giving away as little as they possibly can.

Learn more about information on online privacy, and how you can make changes to take extra caution, contact us today!

Understanding the Right for Privacy on the Internet

An image of young girl working on laptop at home covering man's face with hand.
An image of young girl working on laptop at home covering man's face with hand.

Limiting the amount of personal information on the internet can help to minimize the possible risks.

It seems like every time you check your newsfeed, there’s another story about someone’s privacy being violated online. Whether it was the GamerGate movement handing out Felicia Day’s personal information, the NSA collecting aggregate data from people online, or the hacktivist group Anonymous handing out information users thought was secure, it seems that online privacy is an easily-breached fence.

Just because privacy is regularly breached however doesn’t answer the bigger, more important question, do you have a right to privacy on the Internet?

What is Right to Privacy?

For those looking for the right to privacy in the American Constitution, stop searching because it’s not in print. The idea of the right to privacy is something that the U.S. Supreme Court has said is implied by other amendments in it, including the 4th, 5th, 6th, and 9th. The court argues that people have a right to keep their private lives private from the government. They have a right to not consent to unreasonable, warrantless searches, and to remain silent when they’re being asked questions without a representative.

What does It Mean on the Internet?

Most western governments have some sort of privacy law – but whether they’ve caught up with modern technology is another matter. The main issue when it comes to privacy on the internet isn’t only about government spying – by large, people’s information is not even being stolen from them, rather most people’s personal information is already out there for anyone who knows how to find it.

Let’s take an obvious example, Facebook. When you join the social network you agreed to its terms of service. This includes collecting your information, keeping records of everything that you post and keeping things you’ve deleted on file for 90 days or more in many cases. It also means that your information as a user – what you like, what you follow, your age, gender, pretty much of everything including your name and other personal details – can be sold to the highest bidder. This is called data mining and advertisers are typically use it to figure out what target audience likes, so they can create the best possible ads to entice those groups. Anyone who has ever seen an ad in their feed obviously targeted to them has probably figured this out by now.

That’s not all that is going on in a social network. For instance, you may have your privacy settings so that only friends can see your contents. But if just one of your friends likes or shared a post, then the control is out of your hand and now anyone in that friend’s network can see what happened. This was a major issue of a teacher whose pictures of herself at a brewery cost her job, even though she was certain none of her students could access her Facebook page or photos because of her privacy settings. They couldn’t, but it was a parent who found her page.

One Great Big Modern Mess

Just as British children today might not see why Brave New World is a terrifying book – since there are cameras everywhere and invasion of privacy is commonplace. It is often difficult for people to understand what they’re giving up in the age of the Internet. As soon as a picture, status or piece of personal information is put up somewhere on the web, it is actually been logged, archived and stored. If someone can legitimately find that information without violating any user agreements, that is not a violation of your privacy on the internet because you are the one who put it out there in the first place – it is also why law enforcement can use your Facebook feed to track you down and apprehend you. Same goes for corporate data mining – nothing you put up on a social network hosted by someone else is truly belongs to you anymore.

No Data Online is 100% Secure

An important thing for internet users is to understand that no data that is connected to world-wide-web is 100% secure. No matter if the service where the information is submitted, is using the latest security software and patches, hackers may still have their way to break in – and it has happened before numerous times with well-known internet services. If you have highly classified data, including pictures or documents you don’t want ANYONE to see, keeping those on offline storage is the only completely secure solution.

So What Can I Do?

For starters what you can do is limiting or stop putting your information out there if you don’t want the world to see it. Most of us are not willing to do that, so at the very least you should know how your information is being used and make sure you know what you’re actually agreeing to.

Finally, there are examples where invasion of privacy on the internet contributes a real crime. For instance, finding someone’s home address by checking public records is not illegal. Indiscriminately dispersing that information along with associated threat had constituted several crimes, like the rape and death threats faced by many online feminist activists. At a minimum level, threats like this should get the user banned and the individual may also be brought on charges like reckless endangerment, libel, or defamation of character, depending on the circumstances.

So even if you don’t always have a right to privacy on the internet, you do still have a right to safety. Many believed that is just not enough and numerous questions remain about digital law enforcement, at least it’s a good awareness to start with.

Find out more information about improving your privacy on the internet, please contact us. We will be happy to answer your questions and help you any way we can with this process.

The Risks of Being a Whistleblower

An image of a whistleblower with his co-workers in black and white.
An image of a whistleblower with his co-workers in black and white.

Being a whistleblower can also be very difficult in terms of the stress and anxiety associated with standing up to powerful corporate or government interests.

We all like to think that we would do the right thing if we knew about an illegal or harmful act taking place in our midst. But when we discover our employers doing something wrong, whether it’s ignoring safety regulations, stealing wages, or committing other crimes, it can be extremely difficult to blow the whistle. That’s because there are often some significant risks involved in becoming a whistleblower. These risks include;

Employer Retaliation

For someone who’s considering blowing the whistle on their employer, a primary fear is that said employer will retaliate against them. While there are laws in place meant to protect whistleblowers, they are often not enough. This means that those who point out wrong doing might be faced with a hostile work environment, scheduling upsets and demotion, or termination on a false pretence — or even outright termination in a place without strong employee-protection laws. For those with a family to support, this can be a very daunting risk.

Industry Blacklisting

So what if one employer gives you the boot, there’s a whole industry out there, right? Maybe, but if you’re known as a whistleblower then even companies who don’t have anything to hide may be reluctant to hire you. It may be necessary for you to leave your field entirely, or it might mean that the only job you can get is an entry-level position from which you won’t be promoted. In extreme circumstances whistleblowers simply won’t be able to get a new job, period.

Legal Consequences

While speaking up about illegal activity is a noble thing to do, it’s also possible for whistleblowers to be caught up in the punishment that comes with the crime. Often, they’ll have to face charges of their own for being part of the crime in the first place, which can make them even more reluctant to stand up and say something (even though blowing the whistle may result in a lighter sentence).

Professional Violations

In many cases being a whistleblower may violate a contract or a professional obligation. In these instances, there may be additional penalties such as civil suits for breaching agreements and confidences.

But Whistleblowers Get Paid, Right?

It’s true that whistleblowers are entitled to a percentage of the settlement of any case in which they are involved. The problem is that even though there may be large sums of money involved, it can take years (sometimes decades) for these cases to be completely settled. In the meantime, a whistleblower has to deal with the negative consequences of the decision while waiting for that pot of gold at the end of the rainbow.

At the end of the day, being a whistleblower is a very risky endeavour. We can certainly help you to remain anonymous with your website. Contact us, in case you have any questions regarding our services or your privacy online.