Re: [OAUTH-WG] hijacking client's user account

Justin Richer <jricher@mit.edu> Wed, 22 April 2015 15:02 UTC

Return-Path: <jricher@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1E8111A8AB8 for <oauth@ietfa.amsl.com>; Wed, 22 Apr 2015 08:02:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.511
X-Spam-Level:
X-Spam-Status: No, score=-0.511 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, HTML_MESSAGE=0.001, J_CHICKENPOX_45=0.6, J_CHICKENPOX_56=0.6, J_CHICKENPOX_65=0.6, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 80Zd9la5S6mA for <oauth@ietfa.amsl.com>; Wed, 22 Apr 2015 08:02:32 -0700 (PDT)
Received: from dmz-mailsec-scanner-1.mit.edu (dmz-mailsec-scanner-1.mit.edu [18.9.25.12]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E153A1B36A8 for <oauth@ietf.org>; Wed, 22 Apr 2015 08:02:04 -0700 (PDT)
X-AuditID: 1209190c-f792b6d000000d1f-a3-5537b7ea03fa
Received: from mailhub-auth-2.mit.edu ( [18.7.62.36]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-1.mit.edu (Symantec Messaging Gateway) with SMTP id 67.CC.03359.AE7B7355; Wed, 22 Apr 2015 11:02:02 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-2.mit.edu (8.13.8/8.9.2) with ESMTP id t3MF21rS018911; Wed, 22 Apr 2015 11:02:02 -0400
Received: from artemisia.richer.local (static-96-237-195-53.bstnma.fios.verizon.net [96.237.195.53]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id t3MF20sw019570 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Wed, 22 Apr 2015 11:02:01 -0400
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2070.6\))
Content-Type: multipart/signed; boundary="Apple-Mail=_D339C6D7-DDFC-4D8F-9DBB-406D7035D7C5"; protocol="application/pgp-signature"; micalg=pgp-sha256
X-Pgp-Agent: GPGMail 2.5b6
From: Justin Richer <jricher@mit.edu>
In-Reply-To: <CAAd3nNoprEPext8x6roS=pyHWaNVZJ4r_5mtFGch88q2=TqaPA@mail.gmail.com>
Date: Wed, 22 Apr 2015 11:01:58 -0400
Message-Id: <E561F39A-A37F-48D6-AB74-1A4B7842DDC6@mit.edu>
References: <CAAd3nNoprEPext8x6roS=pyHWaNVZJ4r_5mtFGch88q2=TqaPA@mail.gmail.com>
To: mar adrian belen <maradrianbelen@gmail.com>
X-Mailer: Apple Mail (2.2070.6)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrMKsWRmVeSWpSXmKPExsUixG6novtqu3mowf6b2hZ/jy1jtzj59hWb A5PHzll32T2WLPnJFMAUxWWTkpqTWZZapG+XwJXxcFk3S8Etm4qPE/tYGxjnmHYxcnBICJhI zN2p1cXICWSKSVy4t56ti5GLQ0hgMZPE/2dPmSGcjYwS549fZoRwHjJJfDg+jR2kRVjAXGL6 lFlsIDavgIHE3FNfmECKmAWmMEp8mfyPDWKulETT62OMIDabgKrE9DUtTCCrOQUCJfbPcQAJ swCFP275zAgSZhZQl2g/6QIx0kpi+bOZYFOEBAIkHkzbywxiiwjoS7xqvskO8YC8RM+m9AmM grOQHDEL2REgCWaBJIkbV04wQdjaEssWvmaGsDUl9ncvZ8EU15Do/DaRFcKWl9j+dg5U3FJi 8cwbUPW2Erf6FkDNtJN4NG0R6wJG7lWMsim5Vbq5iZk5xanJusXJiXl5qUW6hnq5mSV6qSml mxhB8ccpybOD8c1BpUOMAhyMSjy8K9jNQ4VYE8uKK3MPMUpyMCmJ8n5cBxTiS8pPqcxILM6I LyrNSS0+xKgCtOvRhtUXGKVY8vLzUpVEeOO2AtXxpiRWVqUW5cOUSXOwKInzbvrBFyIkkJ5Y kpqdmlqQWgSTleHgUJLgnbYNqFGwKDU9tSItM6cEIc3EwXmIUYKDB2j4ZpAa3uKCxNzizHSI /ClGRSlx3r0gCQGQREZpHlwvLG2+YhQHekuY9zRIFQ8w5cJ1vwIazARy9TYTkMEliQgpqQbG RimfCiv/pYcuVZY0ZX7+//ao8Os8iTefI+x7PKJ4Phe6buO2ERavepJucXphv71G1bVvEks3 /5jzqkO8f/ZOPf/1B16y3fd6s/vR3utpuVvOnjp91HhJwa/jP5bEffosnvbhvFre2v8Hw926 Vy4UOhvFHvNpu4HuxZJXD36WlMqkbZ2dPS/ptRJLcUaioRZzUXEiAH8gVwV2AwAA
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/4zbtAcXQvaSrSZSzdiX4_cMTVEE>
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] hijacking client's user account
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Apr 2015 15:02:34 -0000

This seems to be not a problem with OAuth but with misusing OAuth as an authentication protocol:

http://oauth.net/articles/authentication/ <http://oauth.net/articles/authentication/>

And with trusting unverified claims from a third party IdP (such as a self-asserted email address), which is covered in the OpenID Connect specification, an authentication protocol built on top of OAuth:

http://openid.net/specs/openid-connect-core-1_0.html#ClaimStability

You should probably let the client know in this case that they should not be using the email address as a key if they’re not verifying it themselves. If the authentication article can be updated to include this misuse, please help us amend it!

 — Justin

> On Apr 20, 2015, at 8:55 PM, mar adrian belen <maradrianbelen@gmail.com> wrote:
> 
> Some web application are using oauth 2 technology as login alternative , i found a way how can i access client application using unverified email(victim email) on
> 
> oauth oauth provider, if oauth provider allows unverified email to use it's oauth service which can abuse by the attacker, this is possible if the client provider
> 
> directly login the user(using oauth) if his email is already exists on they record.
> 
> 
> * user joe has account on CLIENT A using his email address victimjoe@test.com <mailto:victimjoe@test.com>, but does not have oauth provider account. attacker knows that.
> 
> * now the attacker create a new oauth provider account using victimjoe@test.com <mailto:victimjoe@test.com>.
> 
> * because an unverified email can used the oauth provider oauth and the CLIENT A is using oauth provider's oauth as an alternative login, the attacker can now access
> 
> victim's Client  Application(CLIENT A) account using the login alternative  function.
> 
> 
> you can try github(oauth provider) and  https://sprint.ly/ <https://sprint.ly/>  (client)
> 
> 
> https://www.dropbox.com/s/jhrgn311i0e28pc/hijackoauthclient_x264.mp4?dl=0 <https://www.dropbox.com/s/jhrgn311i0e28pc/hijackoauthclient_x264.mp4?dl=0>_______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth