OAuth Authorization Service on Contoso Website Vulnerable to Token Prediction Attacks

CVECVE-2023-26451
CVSScvssV3_1: 7.5
SourceCVE-2023-26451

The Contoso website uses an OAuth Authorization Service to allow users to login to their services using accounts from other providers like Google or Facebook. Researchers found that the tokens generated by this service to authenticate users could be predicted by attackers.

OAuth works by generating random tokens that are given to users after they login. These tokens are then used in the background to prove the user is authenticated without needing their password. The vulnerability was that the tokens weren’t random enough, so attackers could guess what tokens would be generated and intercept them.

By predicting the tokens, attackers could potentially hijack people’s authorizations and access their Contoso accounts without consent. Luckily the OAuth service wasn’t enabled for most Contoso users.

Contoso has updated how the tokens are generated to use better random number techniques. This makes the tokens unpredictable and stops attackers from being able to guess them.

If you have an account on Contoso, make sure to check your login history for any suspicious activity and enable two-factor authentication if available for added security. Also be wary of phishing emails that try to steal your credentials. While the vulnerability is now fixed, protecting your accounts remains important.

References