Re: [OAUTH-WG] hijacking client's user account

Thomas Broyer <t.broyer@gmail.com> Wed, 22 April 2015 16:20 UTC

Return-Path: <t.broyer@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 98AD61B3760 for <oauth@ietfa.amsl.com>; Wed, 22 Apr 2015 09:20:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.199
X-Spam-Level:
X-Spam-Status: No, score=-0.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, J_CHICKENPOX_45=0.6, J_CHICKENPOX_56=0.6, J_CHICKENPOX_65=0.6, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TOrxr15GyjV5 for <oauth@ietfa.amsl.com>; Wed, 22 Apr 2015 09:20:15 -0700 (PDT)
Received: from mail-lb0-x229.google.com (mail-lb0-x229.google.com [IPv6:2a00:1450:4010:c04::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4854F1B3773 for <oauth@ietf.org>; Wed, 22 Apr 2015 09:20:06 -0700 (PDT)
Received: by lbbqq2 with SMTP id qq2so184173370lbb.3 for <oauth@ietf.org>; Wed, 22 Apr 2015 09:20:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-type; bh=yXzqWCc7EbmhXEI3EPDFjR+bLBGmrD6X8cz/2uBvslA=; b=PqAvpd9kQZszCeETBj/oLW9BJHWKYF4s5WtSEkKfvwwzq4xEF1z2HYcLeMhEudVYG9 uDepfvXmZztNg7+NttGYB8vgKaiABXpsNgZFGFMPmIqCSSKEdHG69VPORhY2ZefeMpyS kskmkI/rwaYWvZ7SuMDk6GifQfHLsflEptT+Bh9jEJcREZTOaNP6KHVyFKDgfKO6nK6C 4KHgj1yxXvfqxOvXoQI9ud7+s/moGOK/bxYQjUCwOTfnZCUjFGuBsZBJzjwQYCbCsL8A vfQuXbSWTHaa/EQePycrCnIWeynq5tmgqpUlkH+velcBKg8QIjGUHjmWhJpogumG9Zq3 yOmw==
X-Received: by 10.152.27.35 with SMTP id q3mr25111428lag.24.1429719604814; Wed, 22 Apr 2015 09:20:04 -0700 (PDT)
MIME-Version: 1.0
References: <CAAd3nNoprEPext8x6roS=pyHWaNVZJ4r_5mtFGch88q2=TqaPA@mail.gmail.com> <E561F39A-A37F-48D6-AB74-1A4B7842DDC6@mit.edu>
In-Reply-To: <E561F39A-A37F-48D6-AB74-1A4B7842DDC6@mit.edu>
From: Thomas Broyer <t.broyer@gmail.com>
Date: Wed, 22 Apr 2015 16:20:03 +0000
Message-ID: <CAEayHEPxhKrZPw=4+F3tvtPEP+0=tfT7AuFPEMkikbEGC8U64Q@mail.gmail.com>
To: Justin Richer <jricher@mit.edu>, mar adrian belen <maradrianbelen@gmail.com>
Content-Type: multipart/alternative; boundary=089e0160b7ca2c6c220514528962
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/1khAMzVWgHyZVeldkURWCHArgqY>
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] hijacking client's user account
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Apr 2015 16:20:16 -0000

Also, this is not news:
http://securityintelligence.com/spoofedme-social-login-attack-discovered-by-ibm-x-force-researchers/

On Wed, Apr 22, 2015 at 5:02 PM Justin Richer <jricher@mit.edu> wrote:

> This seems to be not a problem with OAuth but with misusing OAuth as an
> authentication protocol:
>
> http://oauth.net/articles/authentication/
>
> And with trusting unverified claims from a third party IdP (such as a
> self-asserted email address), which is covered in the OpenID Connect
> specification, an authentication protocol built on top of OAuth:
>
> http://openid.net/specs/openid-connect-core-1_0.html#ClaimStability
>
> You should probably let the client know in this case that they should not
> be using the email address as a key if they’re not verifying it themselves.
> If the authentication article can be updated to include this misuse, please
> help us amend it!
>
>  — Justin
>
> On Apr 20, 2015, at 8:55 PM, mar adrian belen <maradrianbelen@gmail.com>
> wrote:
>
> Some web application are using oauth 2 technology as login alternative , i
> found a way how can i access client application using unverified
> email(victim email) on
>
> oauth oauth provider, if oauth provider allows unverified email to use
> it's oauth service which can abuse by the attacker, this is possible if the
> client provider
>
> directly login the user(using oauth) if his email is already exists on
> they record.
>
>
> * user joe has account on CLIENT A using his email address
> victimjoe@test.com, but does not have oauth provider account. attacker
> knows that.
>
> * now the attacker create a new oauth provider account using
> victimjoe@test.com.
>
> * because an unverified email can used the oauth provider oauth and the
> CLIENT A is using oauth provider's oauth as an alternative login, the
> attacker can now access
>
> victim's Client  Application(CLIENT A) account using the login alternative
>  function.
>
>
> you can try github(oauth provider) and  https://sprint.ly/  (client)
>
>
> https://www.dropbox.com/s/jhrgn311i0e28pc/hijackoauthclient_x264.mp4?dl=0
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>