Perils of Bad API impersonation design
NULL Hyderabad held its October month's security meetup at Service Now, Hyderabad. I have presented on the topic "Gaining lateral movement in cloud solutions by leveraging bad API impersonation designs".
I could have titled the talk as "What might have possibly gone wrong in Facebook's View As feature that affected 50 million accounts", but I didn't want to point fingers at the Facebook issue. Instead, I wanted to generalize it so that the learning can be used in a wider sense.
Software systems which require a user impersonating another user's identity often involve security challenges. It becomes all the more challenging when the system is a modern web platform comprising of web apps and APIs talking to each other by leveraging identity federation. While protocols such as OpenId Connect and OAuth 2.0 provide a way of securely authenticating and authorizing users & applications, they do not specify how impersonation can be implemented, so development teams are on their own. If not designed and implemented meticulously, the impersonation feature could lead to horizontal or vertical privilege escalations. Even worse, it could potentially lead to lateral movement, where an adversary can catch hold of one account and harvest details of several other accounts of the system. The recent Facebook vulnerability in "View As" feature, which affected 50 million users, is arguably an example of this. In this demo-driven talk, we will look at the perils of bad impersonation implementation and see how it can be designed & implemented securely in an API-driven system.
Below are the slides of the talk.
Demo Source Code:
The entire source code of the demo is available on GitHub. Check this repo. The demo is built using ASP.NET Core 2.1.
Here is a quick screen recording of the demo:
My rant which drove me to do this talk
The twitter thread has more details..
Confirms the theory I long believed in.. a vast majority of developers and pentesters do not understand modern Identity protocols & design. May be they still think that Federation, Impersonation, Delegation are for Infra folks, who themselves dont fully understand modern identity— Krishna Chaitanya T (@novogeek) October 12, 2018
Bug or design flaw?
I don’t think we have full details yet, but from what i think is know so far it’s a (design) flaw, not a bug - a side-effect of an intended feature, not a feature working incorrectly.— Mike Andrews (@ma) September 28, 2018
Code demos a week in advance..check
Now this is why I do talks. I get to set a deadline and code.
And the demo for my talk "Gaining lateral movement in cloud solutions by leveraging bad API impersonation designs" is ready! Stretched a lot and learnt a lot in the last 1 week while doing the demo. This is why I love to present at @nullhyd @null0x00 #nullhyd— Krishna Chaitanya T (@novogeek) October 23, 2018
Last minute slides preparation..check
For some reason, this is the norm and I cannot fix this :)
My @nullhyd talk is about to start in an hour and as usual I am preparing my slides sitting in the last row. @0xmahesh is like.. can you do the intro talk.. I am like.. my slides are.. hmm.. sure.. https://t.co/TL8wDLNOCG— Krishna Chaitanya T (@novogeek) October 27, 2018
Here's how I got the title of the talk
Thanks to TalBe'erySec :)
Thanks! Please feel free to use it. Would love to see your slides if you publish them— Tal Be'ery (@TalBeerySec) October 19, 2018
Glad that around 60+ folks turned up. The hall is too big to fit in one pic.
How bad #api design can lead to breach data by @novogeek . #security #learning in #weekend @nullhyd #nullhyd @doy143in #cloudsecurity @secfigo @vhssunny1 @pavanw3b @0xmahesh pic.twitter.com/YJtxuAeZRY— Sanjeev Jaiswal (@jassics) October 27, 2018
The demo that I built does not necessarily depict the exact technical details behind Facebook's "View As" vulnerability. I am not particularly sure what exactly is Facebook's "View As" impersonation design/implementation. I haven't come across any documentation. So I made up a few things just to show the impact of bad impersonation design and drive a point - E.g., I built my toy IDP just for fun and it is not a standard implementation of OIDC/OAuth 2.0. Finally, this talk and demo has nothing to do with my employer - it is just a fun exploration by a passionate security enthusiast :)