Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Local HTTP server credential hijacking #476

Closed
LucioMS opened this issue Jun 14, 2023 · 1 comment · Fixed by #475
Closed

Local HTTP server credential hijacking #476

LucioMS opened this issue Jun 14, 2023 · 1 comment · Fixed by #475

Comments

@LucioMS
Copy link
Contributor

LucioMS commented Jun 14, 2023
edited
Loading

Impact
The default browser-based authentication mechanism leaves users vulnerable to a credential hijacking attack, enabling an attacker to gain unauthorised access to a user's Amazon account.

Description
The default authentication mechanism used by ASK CLI involves the following steps:

ASK CLI starts a local HTTP server listening on http://localhost:9090/
ASK CLI generates an Amazon sign-in URL with the parameter redirect_uri=http://127.0.0.1:9090/cb, then opens this URL in the user's web browser
The user signs in to Amazon in their web browser and enables ASK CLI to access their Amazon account
Amazon redirects the user's web browser back to http://127.0.0.1:9090/cb and passes the OAUTH auth code, scope, and state as GET parameters
ASK CLI issues a HTTP POST request to https://api.amazon.com/auth/o2/token to obtain an OAUTH access token and refresh token.
Another user on the same host can issue a HTTP request to http://127.0.0.1:9090/ and cause the ASK CLI process to terminate and cease listening on TCP port 9090. The attacker can then start their own server on TCP port 9090 and capture the OAUTH auth parameters, enabling them to hijack the OAUTH access token and refresh token. These can then be used to gain unauthorised access to the targeted user's Amazon account.

Stolen credentials could then in turn potentially be used to target the user more directly by injecting malicious code into the Alexa Skills that the user is working on.
Reproduction Steps

In a multi-user environment with at least two users:

As user A: Install ASK CLI and run the "ask configure" command, then wait for the console message Listening on http://localhost:9090... and the web browser to open
As user B: Issue a HTTP request to http://localhost:9090/ (e.g. using curl, wget, or a web browser)
As user B: Start a listener on TCP port 9090 (e.g. using nc -lvv 9090)
As user A: Proceed to sign in to Amazon and approve access for ASK CLI.
As user A: Close the browser and observe that the ASK CLI command has exited with no errors.
As user B: Observe that the OAUTH authentication parameters were received by the listener.
@LucioMS LucioMS linked a pull request Jun 14, 2023 that will close this issue
fix: Local Credential Hijacking fix #475
Merged
@LucioMS LucioMS changed the title Insecure Authentication Mechanism Enables Local Credential Hijacking placeholder Jun 14, 2023
@LucioMS LucioMS changed the title placeholder Local HTTP server credential hijacking Jul 31, 2023
@LucioMS
Copy link
Contributor Author

LucioMS commented Jul 31, 2023

Fixed by not closing the port until the dev is back at the CLI for error and success cases.

@LucioMS LucioMS closed this as completed Jul 31, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: Local Credential Hijacking fix alexa/ask-cli
1 participant
@LucioMS