Perils of Bad API impersonation design

Talks Oct 27, 2018

NULL Hyderabad held its October month's security meetup at Service Now, Hyderabad. I have presented on the topic "Gaining lateral movement in cloud solutions by leveraging bad API impersonation designs".

I could have titled the talk as "What might have possibly gone wrong in Facebook's View As feature that affected 50 million accounts", but I didn't want to point fingers at the Facebook issue. Instead, I wanted to generalize it so that the learning can be used in a wider sense.

Abstract:

Software systems which require a user impersonating another user's identity often involve security challenges. It becomes all the more challenging when the system is a modern web platform comprising of web apps and APIs talking to each other by leveraging identity federation. While protocols such as OpenId Connect and OAuth 2.0 provide a way of securely authenticating and authorizing users & applications, they do not specify how impersonation can be implemented, so development teams are on their own. If not designed and implemented meticulously, the impersonation feature could lead to horizontal or vertical privilege escalations. Even worse, it could potentially lead to lateral movement, where an adversary can catch hold of one account and harvest details of several other accounts of the system. The recent Facebook vulnerability in "View As" feature, which affected 50 million users, is arguably an example of this. In this demo-driven talk, we will look at the perils of bad impersonation implementation and see how it can be designed & implemented securely in an API-driven system.

Slides:

Below are the slides of the talk.

Demo Source Code:

The entire source code of the demo is available on GitHub. Check this repo. The demo is built using ASP.NET Core 2.1.

Demo Video:

Here is a quick screen recording of the demo:

Selected Tweets:
My rant which drove me to do this talk

The twitter thread has more details..

Bug or design flaw?
Code demos a week in advance..check

Now this is why I do talks. I get to set a deadline and code.

Last minute slides preparation..check

For some reason, this is the norm and I cannot fix this :)

Here's how I got the title of the talk

Thanks to TalBe'erySec :)

The audience

Glad that around 60+ folks turned up. The hall is too big to fit in one pic.

Disclaimer:

The demo that I built does not necessarily depict the exact technical details behind Facebook's "View As" vulnerability. I am not particularly sure what exactly is Facebook's "View As" impersonation design/implementation. I haven't come across any documentation. So I made up a few things just to show the impact of bad impersonation design and drive a point - E.g., I built my toy IDP just for fun and it is not a standard implementation of OIDC/OAuth 2.0. Finally, this talk and demo has nothing to do with my employer - it is just a fun exploration by a passionate security enthusiast :)