Re: [OAUTH-WG] Phishing with Client Application Name Spoofing

Mark Mcgloin <mark.mcgloin@ie.ibm.com> Tue, 17 January 2012 12:06 UTC

Return-Path: <mark.mcgloin@ie.ibm.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6514A21F858B for <oauth@ietfa.amsl.com>; Tue, 17 Jan 2012 04:06:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.328
X-Spam-Level:
X-Spam-Status: No, score=-2.328 tagged_above=-999 required=5 tests=[AWL=-0.029, BAYES_00=-2.599, MIME_8BIT_HEADER=0.3]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5Viia0qHyHb2 for <oauth@ietfa.amsl.com>; Tue, 17 Jan 2012 04:06:26 -0800 (PST)
Received: from e06smtp16.uk.ibm.com (e06smtp16.uk.ibm.com [195.75.94.112]) by ietfa.amsl.com (Postfix) with ESMTP id 84D2821F84D5 for <oauth@ietf.org>; Tue, 17 Jan 2012 04:06:23 -0800 (PST)
Received: from /spool/local by e06smtp16.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for <oauth@ietf.org> from <mark.mcgloin@ie.ibm.com>; Tue, 17 Jan 2012 12:06:21 -0000
Received: from d06nrmr1707.portsmouth.uk.ibm.com ([9.149.39.225]) by e06smtp16.uk.ibm.com ([192.168.101.146]) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Tue, 17 Jan 2012 12:06:19 -0000
Received: from d06av12.portsmouth.uk.ibm.com (d06av12.portsmouth.uk.ibm.com [9.149.37.247]) by d06nrmr1707.portsmouth.uk.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id q0HC6I9Q2666712 for <oauth@ietf.org>; Tue, 17 Jan 2012 12:06:18 GMT
Received: from d06av12.portsmouth.uk.ibm.com (loopback [127.0.0.1]) by d06av12.portsmouth.uk.ibm.com (8.14.4/8.13.1/NCO v10.0 AVout) with ESMTP id q0HC6I99018062 for <oauth@ietf.org>; Tue, 17 Jan 2012 05:06:18 -0700
Received: from d06ml091.portsmouth.uk.ibm.com (d06ml091.portsmouth.uk.ibm.com [9.149.104.170]) by d06av12.portsmouth.uk.ibm.com (8.14.4/8.13.1/NCO v10.0 AVin) with ESMTP id q0HC6Hvt018047; Tue, 17 Jan 2012 05:06:18 -0700
In-Reply-To: <CAEwGkqDV8qdYPyHYNtBF-SXLGA0CDxOgbCszafhp4ejuVwuT_w@mail.gmail.com>
References: <CAEwGkqDscS5ke4KmoVUF3nDjS-1b+SuT_hCb59+rCuokmhPOVQ@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E723453A754C534@P3PW5EX1MB01.EX1.SECURESERVER.NET> <CAEwGkqDV8qdYPyHYNtBF-SXLGA0CDxOgbCszafhp4ejuVwuT_w@mail.gmail.com>
X-KeepSent: 5C384B1A:F3404884-80257988:0041A466; type=4; name=$KeepSent
To: =?ISO-8859-1?Q?Andr=E9_DeMarre?= <andredemarre@gmail.com>
X-Mailer: Lotus Notes Release 8.5.1FP5 SHF29 November 12, 2010
Message-ID: <OF5C384B1A.F3404884-ON80257988.0041A466-80257988.00427E0B@ie.ibm.com>
From: Mark Mcgloin <mark.mcgloin@ie.ibm.com>
Date: Tue, 17 Jan 2012 12:06:05 +0000
X-MIMETrack: Serialize by Router on D06ML091/06/M/IBM(Release 8.5.2FP1 ZX852FP1HF12|September 28, 2011) at 17/01/2012 12:06:13
MIME-Version: 1.0
Content-type: text/plain; charset=ISO-8859-1
Content-transfer-encoding: quoted-printable
x-cbid: 12011712-3548-0000-0000-000000BB81E7
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Phishing with Client Application Name Spoofing
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Jan 2012 12:06:30 -0000

Andre

Please feel free to propose text, perhaps with a better title than I
suggested. During our discussion on section 4.1.4 (End-user credentials
phished using compromised or  embedded browser), we have decided on the
countermeasure below, albeit for a different threat - phishing client as
opposed to client name spoofing. Your's can be a variant of this with
different validation recommendations.


2. Client applications could be validated prior to publication in an
application market for users to access. That validation is out of scope for
OAuth but could include validating that the client application handles user
authentication in an appropriate way


Regards
Mark

André DeMarre <andredemarre@gmail.com> wrote on 16/01/2012 23:20:02:

>
> To:
>
> Eran Hammer <eran@hueniverse.com> 16/01/2012 23:22
>

>
> Re: [OAUTH-WG] Phishing with Client Application Name Spoofing
>
> Eran,
>
> Yes; I think a section should be added to the security model doc.
>
> On 2011-12-16 Mark Mcgloin agreed and suggested we call it "Client
> Registration of phishing clients":
> http://www.ietf.org/mail-archive/web/oauth/current/msg08061.html
>
> I'm happy to propose the text; it might be one or two days though.
>
> Regards,
> Andre DeMarre
>
> On Mon, Jan 16, 2012 at 10:30 AM, Eran Hammer <eran@hueniverse.com>
wrote:
> > Should this be added to the security model document? Is it already
> addressed there?
> >
> > EHL
> >
> >> -----Original Message-----
> >> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf
> >> Of André DeMarre
> >> Sent: Tuesday, October 04, 2011 11:33 AM
> >> To: OAuth WG
> >> Subject: [OAUTH-WG] Phishing with Client Application Name Spoofing
> >>
> >> I've not seen this particular variant of phishing and client
impersonation
> >> discussed. A cursory search revealed that most of the related
discussion
> >> centers around either (a) client impersonation with stolen client
> credentials
> >> or (b) phishing by malicious clients directing resource owners to
spoofed
> >> authorization servers. This is different.
> >>
> >> This attack exploits the trust a resource owner has for an OAuth
> >> authorization server so as to lend repute to a malicious client
> pretending to
> >> be from a trustworthy source. This is not necessarily a direct
> vulnerability of
> >> OAuth; rather, it shows that authorization servers have a
responsibility
> >> regarding client application names and how they present resource
owners
> >> with the option to allow or deny authorization.
> >>
> >> A key to this exploit is the process of client registration with
> the authorization
> >> server. A malicious client developer registers his client
> application with a
> >> name that appears to represent a legitimate organization which
resource
> >> owners are likely to trust. Resource owners at the authorization
endpoint
> >> may be misled into granting authorization when they see the
authorization
> >> server asserting "<some trustworthy name> is requesting permission
to..."
> >>
> >> Imagine someone registers a client application with an OAuth service,
let's
> >> call it Foobar, and he names his client app "Google, Inc.". The Foobar
> >> authorization server will engage the user with "Google, Inc. is
requesting
> >> permission to do the following." The resource owner might reason, "I
see
> >> that I'm legitimately on the https://www.foobar.com site, and Foobar
is
> >> telling me that Google wants permission. I trust Foobar and Google, so
I'll
> >> click Allow."
> >>
> >> To make the masquerade act even more convincing, many of the most
> >> popular OAuth services allow app developers to upload images which
could
> >> be official logos of the organizations they are posing as. Often app
> >> developers can supply arbitrary, unconfirmed URIs which are shown to
the
> >> resource owner as the app's website, even if the domain does not match
the
> >> redirect URI. Some OAuth services blindly entrust client apps to
customize
> >> the authorization page in other ways.
> >>
> >> This is hard to defend against. Authorization server administrators
could
> >> police client names, but that approach gives them a burden similar to
> >> certificate authorities to verify organizations before issuing
> certificates. Very
> >> expensive.
> >>
> >> A much simpler solution is for authorization servers to be
> careful with their
> >> wording and educate resource owners about the need for discretion when
> >> granting authority. Foobar's message above could be
> >> changed: "An application calling itself Google, Inc. is
> requesting permission to
> >> do the following" later adding, "Only allow this request if you
> are sure of the
> >> application's source." Such wording is less likely to give the
> impression that
> >> the resource server is vouching for the application's identity.
> >>
> >> Authorization servers would also do well to show the resource owner
> >> additional information about the client application to help them make
> >> informed decisions. For example, it could display all or part of the
app's
> >> redirect URI, saying, "The application is operating on
> example.com" or "If you
> >> decide to allow this application, your browser will be directed to
> >> http://www.example.com/." Further, if the client app's redirect
> URI uses TLS
> >> (something authorization servers might choose to mandate), then auth
> >> servers can verify the certificate and show the certified
> organization name to
> >> resource owners.
> >>
> >> This attack is possible with OAuth 1, but OAuth 2 makes successful
> >> exploitation easier. OAuth 1 required the client to obtain temporary
> >> credentials (aka access tokens) before sending resource owners to the
> >> authorization endpoint. Now with OAuth 2, this attack does not require
> >> resource owners to interact with the client application before
visiting the
> >> authorization server. The malicious client developer only needs
> to distribute
> >> links around the web to the authorization server's authorization
> endpoint. If
> >> the HTTP service is a social platform, the client app might
> distribute links using
> >> resource owners' accounts with the access tokens it has acquired,
becoming
> >> a sort of worm. Continuing the Google/Foobar example above, it might
use
> >> anchor text such as "I used Google Plus to synchronize with my Foobar
> >> account." Moreover, if the app's redirect URI bounces the resource
owner
> >> back to the HTTP service after acquiring an authorization code,
> the victim will
> >> never see a page rendered at the insidious app's domain.
> >>
> >> This is especially dangerous because the public is not trained to
defend
> >> against it. Savvy users are (arguably) getting better at
> protecting themselves
> >> from traditional phishing by verifying the domain in the address bar,
and
> >> perhaps checking TLS certificates, but such defenses are irrelevent
here.
> >> Resource owners now need to verify not only that they are on the
legitimate
> >> authorization server, but to consider the trustworthyness of the link
that
> >> referred them there.
> >>
> >> I'm not sure what can or should be done, but I think it's important
for
> >> authorization server implementers to be aware of this attack. If
> >> administrators are not able to authenticate client organizations,then
they
> >> are shifting this burden to resource owners. They should do all they
can to
> >> educate resource owners and help them make informed decisions before
> >> granting authorization.
> >>
> >> Regards,
> >> Andre DeMarre
> >> _______________________________________________
> >> OAuth mailing list
> >> OAuth@ietf.org
> >> https://www.ietf.org/mailman/listinfo/oauth
>