Presentation Material
Abstract
In a mobile-first world, user registration using only a phone number has become pretty common, and this phone number has become the primary method of authentication due to its convenience and speed. These systems may or may not verify other details about the user, such as their email address and typically rely on Single Sign-On (SSO) identity Providers. This talk explores the potential issues that can arise when multiple systems are used for authentication, and how these can lead to vulnerabilities—ranging from account takeover, password stealing, to denial of service. The talk concludes by discussing potential solutions and stronger controls that can be implemented to prevent these issues.
Presented at Security Fest 2024.
AI Generated Summary
The talk examines authentication and authorization vulnerabilities arising from user registration mechanisms in web, mobile, and network services. It presents several case studies where chained, low-severity flaws resulted in high-impact account takeovers.
Key findings include: a chat application where unverified email registration combined with a persistently active registration endpoint that leaked static authentication tokens allowed an attacker to maintain access even after a victim recovered the account via phone-based password reset. In single sign-on (SSO) implementations, blind trust of identity provider attributes—such as email or user IDs—enabled account takeover by tampering with those values during registration. Another case exploited RFC 5322-compliant but unusual email address formats to inject CSS into registration confirmation emails, triggering client-side rendering attacks in mail readers. A final example demonstrated a registration API that returned valid authentication tokens for both new and existing users, facilitating immediate account takeover.
Practical implications emphasize that registration is a high-risk authentication surface. Developers must enforce strict email verification, deactivate registration endpoints post-signup, and avoid leaking sensitive tokens in responses. SSO integrations require validation of all inbound attributes, as trust boundaries are easily violated. Email inputs demand both RFC-compliant validation and output sanitization to prevent injection in downstream clients. The core takeaway is that individual minor flaws often chain into critical exploits; thorough testing of registration logic and cross-boundary data handling is essential.