• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Over 1 Billion Mobile App Accounts can be Hijacked Remotely with this Simple Hack (oAuth)

Alfa1

Well-known member
#1
Security researchers have discovered a way to target a huge number of Android and iOS apps that could allow them to remotely sign into any victim's mobile app account without any knowledge of the victim.

A group of three researchers – Ronghai Yang, Wing Cheong Lau, and Tianyu Liu – from the Chinese University of Hong Kong has found [PPT] that most of the popular mobile apps that support single sign-on (SSO) service have insecurely implemented OAuth 2.0.

OAuth 2.0 is an open standard for authorization that allows users to sign in for other third-party services by verifying existing identity of their Google, Facebook, or Chinese firm Sina accounts.

Read more:
https://www.blackhat.com/docs/eu-16...ion-Mobile-Apps-Effortlessly-With-OAuth20.pdf
http://thehackernews.com/2016/11/android-oauth-hacking.html