[OAUTH-WG] OAuth Redirection Attacks

Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com> Thu, 16 December 2021 20:04 UTC

Return-Path: <rifaat.s.ietf@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 37E263A11AE for <oauth@ietfa.amsl.com>; Thu, 16 Dec 2021 12:04:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.613
X-Spam-Level:
X-Spam-Status: No, score=0.613 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TC32f8loLHB5 for <oauth@ietfa.amsl.com>; Thu, 16 Dec 2021 12:04:27 -0800 (PST)
Received: from mail-wr1-x429.google.com (mail-wr1-x429.google.com [IPv6:2a00:1450:4864:20::429]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A188B3A11AC for <oauth@ietf.org>; Thu, 16 Dec 2021 12:04:27 -0800 (PST)
Received: by mail-wr1-x429.google.com with SMTP id v11so37309wrw.10 for <oauth@ietf.org>; Thu, 16 Dec 2021 12:04:27 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:from:date:message-id:subject:to; bh=PSjHUVmNfIdVpBGYaPo17lZeK9W8SM0kCU15/eBT9VY=; b=p4suXm8xvaSwG0AB0BoU2LmfwmwRswYjy86ExIUmvqIkEZ9xgReiT9JClq6rdGKZUe oalCz1QpOBLUlwRbg+TBiWtxWyzmXkqLYGQB90ZZf7WXtXey6Nb/AyafgxP096MBP97i gUIpyr3sq4dUFYwdM6/E72DgvUGMQ39K9kdplNSqQnmuXiBeQcNaEWlyJx2tPCqTPHgr BbK0cPehP+dzhV9epOx8GsI0MTdjEn+LvPiTNBPZHIDxs3JvOWgOUH/Mt8luZCH0xVo/ xM3ULRwAbILyu5JdNXEYBjS1q0EPQBwHHQT5sF3gNtOzXlywfrkZjFYagCEDQjBnU6eG cWUA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=PSjHUVmNfIdVpBGYaPo17lZeK9W8SM0kCU15/eBT9VY=; b=RCtRPoH00Tj1MHLAO84fLtWuwwvB/QKDI8PXM4KBVOimfIiPv7lzuZ+5hP7H9ER+q0 l216wgyPpdUseszhvpXZtQhcn66s6Gkz6DYvKoAyxS6tkchF78J7/ndU/Mso9Yx6nV18 BdD+07tnhX3BCpzZr5ud8dBW/xeb4owF+PWC66/WA3Ab2CoWBX21bGLPch58Tvj4fzYq w3GiGrHeZVQ7scDVohP+EKAdhHvwtxXJEkF7wBcvFiahcepaEK3iW+peS9u5zKDaaGTz tXTRvt8mAVugNMGZj1gIGGIlrPuLxp+uc3iKrqFWzF5KSj1EYLYSkiNv+dYtMl8zthd2 k5hg==
X-Gm-Message-State: AOAM531RzautY/oKvUmnpuMg8XJGlueA9jjJrsbLj1fAIP+F7Mr7raIM LWngGUFE/1lBxl+3jGblUV00y3X3ztsw4QoXrX8Rp24OkY8=
X-Google-Smtp-Source: ABdhPJwQlMNPbfO79TGzHwGgzqs7DtOJRCUtkm21U41xuhHs2V02Rk0ZRczPzLYkIHqHfK8csZGqkqPynQh5cuEM3lk=
X-Received: by 2002:adf:eb52:: with SMTP id u18mr10064731wrn.90.1639685063948; Thu, 16 Dec 2021 12:04:23 -0800 (PST)
MIME-Version: 1.0
From: Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com>
Date: Thu, 16 Dec 2021 15:04:12 -0500
Message-ID: <CADNypP_AJFBc+HzKfFZ8d0hk7BZc=fYTDLNP6MroHUg-=r7FvQ@mail.gmail.com>
To: oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000c7bc1b05d348ed36"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/4-YCJzeDH4NH-ge9OF8bAbqWgIE>
Subject: [OAUTH-WG] OAuth Redirection Attacks
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Dec 2021 20:04:32 -0000

All,


An article was recently published discussing some OAuth Redirection Attacks
to try to bypass phishing detection solutions. See the details of these
attacks in the following link:


https://www.proofpoint.com/us/blog/cloud-security/microsoft-and-github-oauth-implementation-vulnerabilities-lead-redirection


The article discusses attacks on Microsoft and GitHub, but these attacks
are not unique to these companies.

The attacks take advantage of how OAuth handles error responses, which
sends responses to the application’s redirect URL.

I would like to get the thoughts of the working group on these types of
attacks.

What is the best way to mitigate these attacks?

Do we need a new approach for handling errors with OAuth?

Regards,

 Rifaat