[OAUTH-WG] Vulnerability in the OAuth2 Mobile flow May lead to access token leakage
Michael Reizelman <michael.reizelman14@gmail.com> Thu, 05 January 2017 18:33 UTC
Return-Path: <michael.reizelman14@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C1E03129694 for <oauth@ietfa.amsl.com>; Thu, 5 Jan 2017 10:33:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.749
X-Spam-Level:
X-Spam-Status: No, score=-1.749 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vOQj4EtExOyH for <oauth@ietfa.amsl.com>; Thu, 5 Jan 2017 10:33:46 -0800 (PST)
Received: from mail-ua0-x22e.google.com (mail-ua0-x22e.google.com [IPv6:2607:f8b0:400c:c08::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 938D9129693 for <oauth@ietf.org>; Thu, 5 Jan 2017 10:33:46 -0800 (PST)
Received: by mail-ua0-x22e.google.com with SMTP id y9so55448049uae.2 for <oauth@ietf.org>; Thu, 05 Jan 2017 10:33:46 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=4VyZDVMs+bq51jSTTMMryymx/oenctC3TTiABzaAgiE=; b=l/2qjoHOTET2H+ujQ4GBpm6iojepOzYp5KQpx4Blac6D+/PqMVybOtnIgJlETAxUaO PMzUM0qX+pMePjAnheqwT+MdITfvIVyI/DYgP5NFG6ScJvDmGPUjXqu4wQDcBTtIIrTN KkbADtyZrPtAYLmTX6vCAwKk+KIAPrq4QIxmqkfYY1HN4B5d5Wml6s+YBI8Hh6sYirfw deeF3MeeNCE4kCPCJCFdMfGlPhHqiDk2/2NYkH4g9eDSI/YxVIWrkfHddYOqt9P9hVoN z7FINkH3d2vt8gbKeXy/REtnV9GaFXN61+LA/wVl6rfm/4VXKuHn6dwRzgD5moAfFKip xP0Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=4VyZDVMs+bq51jSTTMMryymx/oenctC3TTiABzaAgiE=; b=ozTmMFuI9fDTelSqX9Q7lxXQBWZlag9x37lvnwqteO/OjR6AOdqsqZ1ORugjrFpvtM u8/O3OeOvweJlGXxUPJmHV/GVZppiMgVM71eUAMgeJIidWfse0mDX5vWmqY/b5Vzo60p I+tzrxuO2Viek/F96J2ELk5LX4dBMyvRLgX50MvZt4n/KMBV505ZDjBx6nVAGMlQ7LY7 0CamLfL+V8QdKnaiUKD7/Z4rqxxt83zdEhomiKHA6gLWT1gTNyRa/TaUG2aNbW/9Plgw Xvh0Ne+/1NiqFEjWHr+OfuXQABmjaEGmK0HbA5iOIJ2SDxFVEA0R6GXZ5tkb0s/WYD1E KBIA==
X-Gm-Message-State: AIkVDXIHOCbGlmia+3X5t1VQdFBivMCcBdbLcGsXLBw1PS0UQfgXKx6Req/GkSTysDm4j90IAKHy42c4LssxAw==
X-Received: by 10.176.23.3 with SMTP id j3mr593010uaf.78.1483641225558; Thu, 05 Jan 2017 10:33:45 -0800 (PST)
MIME-Version: 1.0
Received: by 10.176.18.225 with HTTP; Thu, 5 Jan 2017 10:33:45 -0800 (PST)
From: Michael Reizelman <michael.reizelman14@gmail.com>
Date: Thu, 05 Jan 2017 20:33:45 +0200
Message-ID: <CAKR6gkJJYn1gi6fFjzDOU0ts5+pJY1ad9SP1oA0yedhPu1Qvyg@mail.gmail.com>
To: oauth@ietf.org
Content-Type: multipart/alternative; boundary="f40304361f38393ee405455d247f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/2MYHjQtxDS-IXruvhgqoSyYzAos>
X-Mailman-Approved-At: Thu, 05 Jan 2017 11:44:32 -0800
Subject: [OAUTH-WG] Vulnerability in the OAuth2 Mobile flow May lead to access token leakage
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Jan 2017 18:35:27 -0000
Hi, During my tests of the Facebook OAuth2.0 implementation I have discovered a vulnerability which I first thought was due to bad implementation. However, after reporting it to them and analyzing the official specification, including the PKCE standard, I have realized that this attack can be used against any OAuth2.0 current specification. I have encountered this email on http://www.rfc-editor.org/info/rfc7636 so I have wanted to make sure whether this is the place to securely report this flow (Which may lead to compromise of access tokens on every OAuth2.0 mobile implementation)? And if not, who can I contact about this? Thanks, Michael
- [OAUTH-WG] Vulnerability in the OAuth2 Mobile flo… Michael Reizelman
- Re: [OAUTH-WG] Vulnerability in the OAuth2 Mobile… John Bradley