In a mobile-first world, user registration using only a phone number has become pretty common, this phone number has become the primary method of authentication due to its convenience and speed. These systems may or may not verify other details about the user, such as their email address and typically rely on Single Sign-On (SSO) identity Providers. This talk explores the potential issues that can arise when multiple systems are used for authentication, and how these can lead to vulnerabilities. We will touch upon how authentication and authorization bugs can originate from user registration and how this can lead to full account takeover, password stealing, and denial of service. The speaker will draw from their own experiences in identifying and addressing these vulnerabilities, providing valuable insights into this common issue. Finally, the talk concludes by discussing potential solutions and stronger controls that can be implemented to prevent these issues from occurring. Attendee Takeaways Security engineers will gain valuable experience in identifying and addressing authentication bugs, helping them to improve their skills in this area. Developers will be encouraged to think more broadly about potential edge cases and vulnerabilities in their applications, leading to stronger and more secure authentication and authorization controls.
Presented at Security Fest 2024.Speaker: Priyank Nigam
As a senior offensive security engineer @Microsoft, Priyank's primary areas of focus is conducting security exercises that emulate real-world threats impacting billions of users. He is well-known for his expertise in identifying high-impact vulnerabilities and has shared his research openly through various industry conferences. His forte is web/mobile application security assessments, network penetration testing and secure source code reviews. In the past, he has advised Fortune 500 brands and startups and does mobile and IoT related research in his spare time. As a new parent, he is now (re)learning hacking from his toddler who defeats all the "restrictions" to limit their mobility.