Re: [OAUTH-WG] hijacking client's user account
Thomas Broyer <t.broyer@gmail.com> Wed, 22 April 2015 16:20 UTC
Return-Path: <t.broyer@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 98AD61B3760 for <oauth@ietfa.amsl.com>; Wed, 22 Apr 2015 09:20:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.199
X-Spam-Level:
X-Spam-Status: No, score=-0.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, J_CHICKENPOX_45=0.6, J_CHICKENPOX_56=0.6, J_CHICKENPOX_65=0.6, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TOrxr15GyjV5 for <oauth@ietfa.amsl.com>; Wed, 22 Apr 2015 09:20:15 -0700 (PDT)
Received: from mail-lb0-x229.google.com (mail-lb0-x229.google.com [IPv6:2a00:1450:4010:c04::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4854F1B3773 for <oauth@ietf.org>; Wed, 22 Apr 2015 09:20:06 -0700 (PDT)
Received: by lbbqq2 with SMTP id qq2so184173370lbb.3 for <oauth@ietf.org>; Wed, 22 Apr 2015 09:20:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-type; bh=yXzqWCc7EbmhXEI3EPDFjR+bLBGmrD6X8cz/2uBvslA=; b=PqAvpd9kQZszCeETBj/oLW9BJHWKYF4s5WtSEkKfvwwzq4xEF1z2HYcLeMhEudVYG9 uDepfvXmZztNg7+NttGYB8vgKaiABXpsNgZFGFMPmIqCSSKEdHG69VPORhY2ZefeMpyS kskmkI/rwaYWvZ7SuMDk6GifQfHLsflEptT+Bh9jEJcREZTOaNP6KHVyFKDgfKO6nK6C 4KHgj1yxXvfqxOvXoQI9ud7+s/moGOK/bxYQjUCwOTfnZCUjFGuBsZBJzjwQYCbCsL8A vfQuXbSWTHaa/EQePycrCnIWeynq5tmgqpUlkH+velcBKg8QIjGUHjmWhJpogumG9Zq3 yOmw==
X-Received: by 10.152.27.35 with SMTP id q3mr25111428lag.24.1429719604814; Wed, 22 Apr 2015 09:20:04 -0700 (PDT)
MIME-Version: 1.0
References: <CAAd3nNoprEPext8x6roS=pyHWaNVZJ4r_5mtFGch88q2=TqaPA@mail.gmail.com> <E561F39A-A37F-48D6-AB74-1A4B7842DDC6@mit.edu>
In-Reply-To: <E561F39A-A37F-48D6-AB74-1A4B7842DDC6@mit.edu>
From: Thomas Broyer <t.broyer@gmail.com>
Date: Wed, 22 Apr 2015 16:20:03 +0000
Message-ID: <CAEayHEPxhKrZPw=4+F3tvtPEP+0=tfT7AuFPEMkikbEGC8U64Q@mail.gmail.com>
To: Justin Richer <jricher@mit.edu>, mar adrian belen <maradrianbelen@gmail.com>
Content-Type: multipart/alternative; boundary="089e0160b7ca2c6c220514528962"
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/1khAMzVWgHyZVeldkURWCHArgqY>
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] hijacking client's user account
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Apr 2015 16:20:16 -0000
Also, this is not news: http://securityintelligence.com/spoofedme-social-login-attack-discovered-by-ibm-x-force-researchers/ On Wed, Apr 22, 2015 at 5:02 PM Justin Richer <jricher@mit.edu> wrote: > This seems to be not a problem with OAuth but with misusing OAuth as an > authentication protocol: > > http://oauth.net/articles/authentication/ > > And with trusting unverified claims from a third party IdP (such as a > self-asserted email address), which is covered in the OpenID Connect > specification, an authentication protocol built on top of OAuth: > > http://openid.net/specs/openid-connect-core-1_0.html#ClaimStability > > You should probably let the client know in this case that they should not > be using the email address as a key if they’re not verifying it themselves. > If the authentication article can be updated to include this misuse, please > help us amend it! > > — Justin > > On Apr 20, 2015, at 8:55 PM, mar adrian belen <maradrianbelen@gmail.com> > wrote: > > Some web application are using oauth 2 technology as login alternative , i > found a way how can i access client application using unverified > email(victim email) on > > oauth oauth provider, if oauth provider allows unverified email to use > it's oauth service which can abuse by the attacker, this is possible if the > client provider > > directly login the user(using oauth) if his email is already exists on > they record. > > > * user joe has account on CLIENT A using his email address > victimjoe@test.com, but does not have oauth provider account. attacker > knows that. > > * now the attacker create a new oauth provider account using > victimjoe@test.com. > > * because an unverified email can used the oauth provider oauth and the > CLIENT A is using oauth provider's oauth as an alternative login, the > attacker can now access > > victim's Client Application(CLIENT A) account using the login alternative > function. > > > you can try github(oauth provider) and https://sprint.ly/ (client) > > > https://www.dropbox.com/s/jhrgn311i0e28pc/hijackoauthclient_x264.mp4?dl=0 > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] hijacking client's user account mar adrian belen
- Re: [OAUTH-WG] hijacking client's user account Justin Richer
- Re: [OAUTH-WG] hijacking client's user account Thomas Broyer
- Re: [OAUTH-WG] hijacking client's user account Nat Sakimura