Hackers Exploiting OAuth Connections

Hackers are in the Cloud, Exploiting OAuth Connections

At Cisco Cloudlock, we focus on the Shadow IT challenge that matters – the cloud and third-party apps that connect directly into your corporate environment via an OAuth flow. The OAuth-based attack that occurred on May 3rd, 2017 proves how hackers can easily exploit this attack vector, and compromise 1 million accounts within a few hours.

News of the attack was covered by major publications, including Wired, CNN, Fortune, Forbes, BBC, Time, The Guardian, and many more. Most coverage focused on the individual users, but there is significant corporate dimension that needs to be highlighted. As more businesses adopt cloud platforms, the employees authorize apps using their corporate credentials, giving these apps programmatic (API) access to their corporate data, introducing millions of back doors into corporate environments.

Cloudlock Cyberlab identified 11 different app IDs associated with the attack, majority of them requesting access to email and contacts:

App ID Access Scopes
1 623002641392-km6voeicvso16uuk7pvc8mvbqheobnft.apps.googleusercontent.com Google Contacts API
Gmail IMAP/SMTP Access
2 632715883535-h36sb9m6fot4vusucprsab95naef791n.apps.googleusercontent.com Google Contacts API
Gmail IMAP/SMTP Access
3 366668462857-3qkidqn8oseh9v3fhm3085kpb747bgm7.apps.googleusercontent.com Google Contacts API
Gmail IMAP/SMTP Access
4 187102321219-1cb4b2gdr0bqv5u5n35vi1hecjcp1sjg.apps.googleusercontent.com Google Contacts API
Gmail IMAP/SMTP Access
5 946634442539-bpj9bmemdvoedu8d3or6c69am3mi71dh.apps.googleusercontent.com Google Contacts API
Gmail IMAP/SMTP Access
6 1024674817942-fstip2shineo1lsego38uvsg8n2d3421.apps.googleusercontent.com Google Contacts API
Gmail IMAP/SMTP Access
7 346348828325-vlpb3e70lp89pd823qrcb9jfsmu556t8.apps.googleusercontent.com Google Contacts API
Gmail IMAP/SMTP Access
8 188775109388-t33r6vb45j8fgf8vpcp4q0e6qt2pe01n.apps.googleusercontent.com Google Contacts API
Gmail IMAP/SMTP Access
9 1535050614-8i934kb9l0snc0iocqb0iv27lli0r858.apps.googleusercontent.com Google Contacts API
Gmail IMAP/SMTP Access
10 950807804407-atveefjffh5vqpcvuk1ksqntf8njgkhl.apps.googleusercontent.com Google Documents
Userinfo - Email
Userinfo - Profile
11 73997885975-8p24fi1e7rdi7pj6dmmhucdm4dclednr.apps.googleusercontent.com Google Contacts API
Gmail IMAP/SMTP Access

• Hackers can easily create new variants or instances with wider scopes. Of the 276,000 apps Cloudlock identified, over one in four instances were considered high-risk due to excessive access, some asking permissions for full account access. These permissions give such apps the capability to view, edit, collect or delete documents, photos, emails; search history, contacts, and calendars; analyze navigation history; collect personal data; as well as have geotagging functionality and camera access.

10% of the corporations Cloudlock Cyberlab tracks have been infected, with thousands of employees granting access to the worm with their corporate credentials.

• Google stated that 0.1% of Gmail users were affected. The percentage of employees granting access was 6.5x more than this ratio with 0.65% of employees getting infected per organization. Given that hackers could see all of the contacts of these employees, they can easily map out a significant percent of the entire organizational directory.

Cisco Cloudlock gives organizations the peace of mind that employees can use the apps they want securely, while establishing safeguards around apps that access accounts and data. With Cloudlock Apps Firewall, corporate IT security teams discover and control malicious cloud apps connected to their corporate environment, leveraging the world’s largest crowd-sourced security solution to identify individual app risk.

For further technical details, see Cloudlock's blog post and the Cisco TALOS post.

Experience a Live Demo

See Cisco Cloudlock in action from one of our cloud security experts

Browser Not Supported

Your browser version is outdated.

We would recommend you upgrade to a recent version to ensure that you have a good experience on the CloudLock site. Outdated browsers also increase your security risk. So please update your browser and come back later!

Click on the icon below to download the latest version of your browser