OAuth Bypass Technique


OAuth is an open standard for access delegation, commonly used as a way for Internet users to grant websites or applications access to their information on other websites but without giving them the passwords. We often see websites with “Sign in with Facebook” option. This facility provides convenience to the users that do not wish to sign up using the traditional username and password option. However, there exist a small number of websites that have poorly implemented OAuth allowing an attacker to bypass the authentication and impersonate another user to gain access to websites’ protected resources. This technique is known in the Bug Bounty community and is regarded as an authentication bypass or an account take-over. While there are various write-ups with regards to OAuth authentication bypass, this technique is not widely covered. We would like to present the technical details of the vulnerability we had found.

Speakers Information

Sheikh Rizan

Rizan is a passionate information security professional with more than 20 years of experience. He loves anything Linux or open-sourced. He had spent over 13 years securing one of the largest oil and gas company in the world from cyber threats. He holds several industry relevant certifications including OSCP, OSCE, OSWE, CISSP & CREST CRT. He had reported security bugs to the US Department of Defense (US DoD), Spotify, Amazon, General Motors, Toyota, Alibaba, Airbnb, Dell, Starbucks & Rockstar Games. Rizan was also part of a cyber security surveillance group supporting law enforcement agencies globally in the area of lawful interception for mobile and desktop technologies. Prior to his current assignment, he worked at Telenor as a Cyber Security Advisor specializing in offensive security. He has conducted dozens of on-site and remote penetration tests in Sweden, Finland, Thailand, Bangladesh, Malaysia and Myanmar.

View Full Schedule

Subscribe to Our Mailing List

Join our community mailing list for updated on conference annoucements, important dates and discussions.