Exploiting CSP in WebKit to Break Authentication and Authorization

The vulnerability in OAuth and SSO affected various applications, allowing attackers to take over accounts and platforms. The bug bounty programs had mixed responses, with some fixing the issue promptly while others took months to understand it. Apple took over a year to fix the bug and did not award a bounty. The vulnerability affected not only Safari but also other browsers on iOS devices due to Apple's app store policies. The impact of the vulnerability was significant, affecting social networking platforms, e-commerce platforms, and cryptocurrency platforms.

• OAuth and SSO vulnerabilities affected various applications, allowing attackers to take over accounts and platforms
• Mixed responses from bug bounty programs, with some fixing the issue promptly while others took months to understand it
• Apple took over a year to fix the bug and did not award a bounty
• The vulnerability affected not only Safari but also other browsers on iOS devices due to Apple's app store policies
• The impact of the vulnerability was significant, affecting social networking platforms, e-commerce platforms, and cryptocurrency platforms

The vulnerability affected not only Safari but also other browsers on iOS devices due to Apple's app store policies. This made browsers like Firefox, Chrome, and Opera on iOS devices plug-in, as they could not implement their own rendering engines and had to embed a version of Safari's rendering engine. This shows how the vulnerability had a far-reaching impact on various applications and platforms.

When it comes to modern web applications, browsers are the first line of defense. While built-in security features that come compiled with browsers are responsible for preventing a wide array of attacks, any seemingly trivial mistake in browsers' implementation of such security features can have devastating effects. In this session, we will talk about a vulnerability in Webkit (Safari, and all browsers in iOS devices including Firefox and Chrome) and a security feature in browsers which when abused allowed us to leak certain cross-site information which made almost every application using authentication/authorization technologies such as Single Sign-On and OAuth vulnerable, thus giving us instant access to user accounts. The talk will also include our take and workarounds on the latest browser features like ITP, SameSite Cookies, etc., and uses techniques and approaches to bypass common measures implemented to prevent such vulnerabilities.We will explain how we were able to exploit hundreds of companies with over billions of users and were able to harvest over $100k in bounties. Even corporations like Google, Facebook, Gitlab, Coinbase and others who are very cautious with security measures were all vulnerable. The exploit, on one hand, demonstrates how sometimes not adhering to a simple-looking specification can turn into a disaster and on the other hand, how simply following the specification might not be enough.We'll also talk about programs' responses to our reports and a general understanding of such vulnerabilities, fixes, and bypasses we came up with. Finally, we'll conclude with how to address such vulnerabilities using yet another browser feature.