Issue 83: India’s COVID-19 tracing app 🦠, OAuth2 API attacks

Elliot Alderson discovered API flaws in India’s COVID-19 tracking app, Aarogya Setu. In certain regions, the app is mandatory, and not having it installed can lead to fines or even jail time.

The app can tell users how many people who have tested positive for COVID-19, or who have self-assessed to feel unwell, are nearby within the radius of from 500 meters to 10 kilometers. Or at least that is the theory. In practice, attackers can make the app to show them more.

Alderson found a combination of factors that allowed malicious use of the API:

• He overcame the checks for device rooting as well as certificate pinning, and got direct access to the API behind the app.
• He could supply any latitude and longitude values to the API, and receive the data for a particular neighborhood.
• He could tweak the catchment area to whatever he wanted because the predefined radius values were only in the client app, not enforced in the API.

This means that an attacker could home in on someone and get the data for a specific address.

Bulk API calls were allowed, too. Thus, by invoking the API for a mesh of locations, the attacker can further triangulate the exact locations of infected people.

Not really something you’d like to see in an app that deals with such sensitive information and that you are forced to use.

Lessons learned here:

• Even seemingly anonymous data can become personal when combined with other data, especially geolocation.
• You cannot rely on your APIs being only invoked by your client app. Someone might (will!) figure out a way to get to them directly.
• Parameter ranges must be enforced on the API level, not just on the UI.
• Bulk API calls are a source of data leaks.

Dr. Daniel Fett has published a great detailed document on OAuth mix-up attack scenarios and ways to mitigate them. He covers, for example:

• Basic mix-up attack
• Mix-up attacks with OAuth metadata
• Mix-up attacks with Pushed Authorization Request (PAR) endpoint
• Integrity of the Authorization Request with PAR

In a mix-up attack on OAuth authentication, an attacker convinces the OAuth client to send credentials (authorization code or access token) that it obtained from an “honest” authorization server to the attacker’s server:

And while we are in the world of OAuth, the blog A Bug’z Life has a post on the typical security flaws in OAuth implementations:

1. Weak redirect_uri configuration
2. Improper handling of state parameter
3. Assignment of accounts based on email address
4. Disclosure of secrets

Check it out to be reminded of and avoid the common pitfalls.

On the latest episode of the OWASP DevSlop show, Katie Paxton-Fear gave a talk on REST API hacking. Her talk focused on the following vulnerabilities from the OWASP API Security Top 10 list:

• API1:2019 — Broken object level authorization
• API3:2019 — Excessive data exposure
• API5:2019 — Broken function level authorization.

The talk included a demonstration of each of the flaws and practical tips on how to find them. The source code of the demo app is also available.