Re: [OAUTH-WG] [EXTERNAL] Re: OAuth Redirection Attacks

Pieter Kasselman <pieter.kasselman@microsoft.com> Fri, 17 December 2021 20:22 UTC

Return-Path: <pieter.kasselman@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 52A853A0AB1 for <oauth@ietfa.amsl.com>; Fri, 17 Dec 2021 12:22:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.701, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZvDEUPB9HMx3 for <oauth@ietfa.amsl.com>; Fri, 17 Dec 2021 12:22:52 -0800 (PST)
Received: from EUR04-VI1-obe.outbound.protection.outlook.com (mail-vi1eur04lp2051.outbound.protection.outlook.com [104.47.14.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 029AD3A0A78 for <oauth@ietf.org>; Fri, 17 Dec 2021 12:22:51 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=O0jOqqP/tsbS15UabquhbXDRoRH+aYUfuN3hn5RM82jy7rzATILrRPi7OcJqzIeZh7IiAmdjYP+X4vUl3sKITF8HJBZ08rmzXmSIm5g9eCylDqV8cmtZ67c3uLGWDXELzwuc2vYpCkHmppBjeD6AkRJgovU9eNZNE93qxJaHBKakYKZGGRc4VVRq3M7fon1/6jccTU/S8FUJ620LVz8OnzIBobixQQ9E6c38VThsZtqMYmSN4NsjMsqoeUnoNqKdDsdSzSmukKxQmTGU9o/X0r+kRGniTM8JxH7FBvCIy/x+vBcGFrwd1bcWbMZatS/TUWaEZ8UOOd8vgp3WYD9B3w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=+eOxMzcuk16zGcj5Ji8ElVWjse6RMiSUvUCQvduELqU=; b=RTcmxVfVKBcgYQPU9EV6/CXzAzJpB+u5BFzebNKJz+P4SOyEoIenO3fcNPufOxyRb96zs028E5MV8mxSb0tSLzIpQOeONv+flCWz7lqxfGo0gretYtmlNyP4HEBaJwPdQFg0Q9xlehkq1EQ8Gv8adrYgZn9+aRWpsmLzifXMvtlIVmcDyjX8imnKq1cGbY89w8rADh7dq6lR9jRBEmexuxCuuAhf4pF8NP17DIPQ4p3If7nNoX842+OC021GF1zd9+/RvYYu4LQ0XltI7tSp90Ks8W47eV8Blk5xxmtJfZVGPU7UvqcX1FKK8+K1xIl7tf1vLQFhIFUE2TLVHphzvg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=+eOxMzcuk16zGcj5Ji8ElVWjse6RMiSUvUCQvduELqU=; b=DwWYES2B2tio9XNHlQBLnLJUKw+D58HSMhxxKlvEn1YukO1H2NBaLB6/G4ITEuyd4lFEtsfz4NwgnbMTP3AWQ8aZ+w1QvOChjdgvX+k1Gd8NwcYdgX1vrEsTZuK/5fAr+cFkS7k6wxL6xDsi03DgSPnX6AfNoFxi5Vq4ktj6ZgU=
Received: from AM7PR83MB0452.EURPRD83.prod.outlook.com (2603:10a6:20b:1b6::10) by DBBPR83MB0492.EURPRD83.prod.outlook.com (2603:10a6:10:201::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4823.6; Fri, 17 Dec 2021 20:22:45 +0000
Received: from AM7PR83MB0452.EURPRD83.prod.outlook.com ([fe80::e17e:2ca8:5565:cf6d]) by AM7PR83MB0452.EURPRD83.prod.outlook.com ([fe80::e17e:2ca8:5565:cf6d%5]) with mapi id 15.20.4823.010; Fri, 17 Dec 2021 20:22:44 +0000
From: Pieter Kasselman <pieter.kasselman@microsoft.com>
To: Vittorio Bertocci <Vittorio=40auth0.com@dmarc.ietf.org>, Warren Parad <wparad=40rhosys.ch@dmarc.ietf.org>
CC: oauth <oauth@ietf.org>
Thread-Topic: [EXTERNAL] Re: [OAUTH-WG] OAuth Redirection Attacks
Thread-Index: AQHX80YWPcHBUYyLGkWkzKsSFOy7mqw3GYMAgAAD5UA=
Date: Fri, 17 Dec 2021 20:22:44 +0000
Message-ID: <AM7PR83MB04521F9B225816B5D4D1A8F891789@AM7PR83MB0452.EURPRD83.prod.outlook.com>
References: <CADNypP_AJFBc+HzKfFZ8d0hk7BZc=fYTDLNP6MroHUg-=r7FvQ@mail.gmail.com> <CAJot-L2X+Ma5BnXJ6Ys3UPJgHc_WnYtU33ast-myT2PN6rU5OQ@mail.gmail.com> <CAO_FVe5fUgS+=FoB9fJN7V0ujG+tDSb_20CgU2ffcPO3kENC=w@mail.gmail.com>
In-Reply-To: <CAO_FVe5fUgS+=FoB9fJN7V0ujG+tDSb_20CgU2ffcPO3kENC=w@mail.gmail.com>
Accept-Language: en-IE, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2021-12-17T20:22:29Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=e8311343-7225-4e2c-9e77-2806ff766c27; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=microsoft.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 373d2928-5c02-427c-4992-08d9c19afc33
x-ms-traffictypediagnostic: DBBPR83MB0492:EE_
x-microsoft-antispam-prvs: <DBBPR83MB04928EC8FE1C7894F2C9C7E891789@DBBPR83MB0492.EURPRD83.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: DJlMn6sdz7JF3AkTC6HXOrwYErMk2anZCuAtDcXFIbi+0H44uD2xdCJ7oy5zepM1+HpiYkGbsjlfY29uJTKa0SGSPSM9IhOKYusW2hjNv4fwZMy5jrgicCM929zi87ZOshq6sSxhV9T0P8KJLu0sAbEZ5HyZqcIdY3MD5FhOD9frhx7q0QE1fe3XZUHrvh9yRSpqwSv38Hhbb78WDXorEIIi13RCf/zLnwWPPZbcppgmfgzIWyfqYj6gHoaXdk99gwxXLjXyA/NTM3P0E2Y3NB2F4115ZRoDHp62lCSas9FPWZ0GRVGU1RiL1LamNGsveWm1ECPxgSQxx57JbuxauT2VZzG9cOZQmfacPR0ZjJHGls1tTLgAQOhgIGEynu8jMTmGslgVK3IJL4XHOG4JwpaiMJjsOBYmlY05YiQG8+gL49y9APyVqzsKHBb05OF5fX8+8DV3CI2ox7sdBDNCFytqzp8O+ZriTJLf5wpFSavCweErBkCM22x8VYBKzchLloS/4BAVSl7Dxf2953ST8SoXhVaJAGJ6n/UBCcXI7J5IZYODj0VyEuVBEVFtFlVFOjSh700OUEfRs2x1ms2AqLqPi5TXg31DYO24Zp/2VKKhKb11cGBWvAmKK4trdr9c7wMnCWeU53MJUVgEPthW8712lQcQnaxAJQH+yg8UhJCz/xAy3X7Hu2g+j+sCt9+E3qb+dc90xgfDVv59URKZSuwOdWj0niqKB2xaepz/mXhqRq2WbXkIjt2Hyu+atKWeLaRrmG8hUaIfVyuus21Z7qFXXFEhUgi2QJp+KLIpweqCG+wQnaC93+Qlm/lSU79RbqlXMnF0K2Xr1CO10Uu0wP0Enr3DxkPmeB4U+JLMe8ZMLqkcHF72NzyC9qCqpHAtdSyAswWAyU3ZHwGSs721cw==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM7PR83MB0452.EURPRD83.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(4636009)(366004)(8990500004)(76116006)(33656002)(52536014)(44832011)(66946007)(316002)(110136005)(6506007)(2906002)(8676002)(64756008)(38100700002)(4326008)(8936002)(66476007)(5660300002)(66556008)(66446008)(53546011)(55016003)(166002)(38070700005)(508600001)(10290500003)(86362001)(9686003)(7696005)(71200400001)(966005)(83380400001)(186003)(82960400001)(82950400001)(122000001)(91840200004)(20210929001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: f+JbkbqeRypoh668x9MgIG+LjbA5k5NR1wlu7IkLtwIesDZskkLofIOmSyMP2rWzsRueU75EQ+qrmU2ObeFtPAyFzmyc3puLiHL/CNezs0VgXKACsThlsizSMx1pn/Sk0KppvNWE5NkFRDmk9DhdkDkb27gHUwNEj+ldwRfiIOvJ/dIhTrAmeKsgT09y0BCoAWq6X/LKlsmPpCbo0A0UdQ64A4qSwdGyloZvrbm5IAKbUBBBbMZu9cWnIjCQA2x0eVGvj1fI1FLakHJYn+wt+o+dnQiywX9UUaWL3ZtzAZeerjlqSCMJqTJVj2UCy1USv+915FcZv2jKvrQItI/08QKcVSe8BOjRSWKlah878xdVyWtw58WY1cKGRk3aBp+Gju3ZBbp9P93Mgtf0kOjq4Z9NvPbk7u1lmYe/aVOsjzZGOU5HYid3NjwWAc8dyPcJyxRCpiuOKh1KrV4nakKbcHpl0gddcH+ZekBJrp73qMAe/dLMOsK0/4RqHO9aGgQwX9EjpMNhS2mJGDJAPJQrus/urmPtQItcXAETzI+4nNYId6/kHF2IXqVDQvqTuPmaCGxJDFqIkWscCaoKhKoqHbf5pRwjmSoSd5UHY4ydYGFJY4aOdGrHucd7djef1i2odGLlzsxaSfwVghqlIrBQs6yzwXC3sS/FfOe6pdUWFtTHWvAN4ShG9fiCKa148peg72lhgdvlfnWO8wCFntaH7sQ5EUnqPyfY0SM9Rx4LGl1B6jUuGiPe8e7O6jyzqLotPMFvIKoetNjpshWd6VJ+oOpX41tQayxfgsRTYZhRQoBn/36NjF3eeQr3ZYavPVe0RksHlC69gCL/eZ3VP30IKZzP59cey3qSvJSweO0sGWNmNOf7FyEPS/OxvEF+2KfL1l0qIN3bA5nT0cG09nHaXcN/Ias5WIWhhIJYiB9GqUpKHm2JV8D8UvGs9mbWFGRR/aQ6Pu0LD/MT7+yznX38IcmcNpz6ytlywa1q09Q1LMzyuD3nMv8cRd+K1aGPY/0+Pq3JiQ+WabUSYrVbk2Qn6adBqrHKDGa2G3DDo6nXrVGAMXtge73EEk11mN/DUSFlrDljGEYtGhbQJwDVn+V4E5uTNbxcIS/tJwSWduPUiyA3vxGedRtM/hdX0I/EkuaR6G8u+cIGXxkkv8YdNTwZB5nUjKFV7u94UzArZliBmuekMj6EfPp1VAq76xbRuiN1/ltUzoq9r3AwcpJu5BwjmfKLb1BsC1iMjc3sntYyY1msRtgvWCggp6cJLVSSZsn+7y95k2XM0NFx6ZsTsg7LUHXn7tu2Dnzg2f3L0hi7NDOdMi9QH1HPmoZgLxHLvg0ZEMKGc2iQ7BWQ+lsVkBLDwwAdH0J+HNWdu54pS96LO1MpB9h4pdczOq1jPgFQNCnG/2TLzbzGSvoBZO/kSjT9e+IZGqTOjysapdXRRu+EtGs043hOVR2mHwzGJv/rlY7vwbEqPJVzrziPHxaZIH0/cIwqM1zi8YAjRvq5mVFBsFPFre94jkUwAq+AHzKKdHkyyJ2mlzUOQF9RRE/t6B7Y6Zs3Cfk3xVKiRmbawKZhNmnqC5zyCxNCrNthlAr/D8PDr+ZTUGiO9t3YMgchCCymeypEEebm9t5t5lwW8QlqbfgQ8wnZWMsGiA7FO07LAWhycr/1/0R8xfrGwm9mToJstA==
Content-Type: multipart/alternative; boundary="_000_AM7PR83MB04521F9B225816B5D4D1A8F891789AM7PR83MB0452EURP_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AM7PR83MB0452.EURPRD83.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 373d2928-5c02-427c-4992-08d9c19afc33
X-MS-Exchange-CrossTenant-originalarrivaltime: 17 Dec 2021 20:22:44.7930 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: WBsoCScc6Oi9szB9TrlzLuSzUHycmTNa66GvtLGWtjhWNOtp+uwXZpAIclmttmA3Npv7f+CGIpaSH6+hnjW7Fkc+iJ2Ztj0qMSy6dgREM/A=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DBBPR83MB0492
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/5NumUldFaKxhjgU5d9bLcJSIhwU>
Subject: Re: [OAUTH-WG] [EXTERNAL] Re: OAuth Redirection Attacks
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Dec 2021 20:22:59 -0000

Agreed that the attackers goal is to bypass phishing filters and they found a way to achieve this by using an IdP that adheres to the standards. I don't have the context for the design choice to redirect on an error condition, but am curious why the IdP should not be allowed to handle the error condition, rather than redirect (or at least have the option to do so)?

From: OAuth <oauth-bounces@ietf.org> On Behalf Of Vittorio Bertocci
Sent: Friday 17 December 2021 19:55
To: Warren Parad <wparad=40rhosys.ch@dmarc.ietf.org>
Cc: oauth <oauth@ietf.org>
Subject: [EXTERNAL] Re: [OAUTH-WG] OAuth Redirection Attacks

The attack doesn't rely on redirecting to unregistered URLs, that's the problem.
The goal of the attack is to circumvent phishing filters, by presenting a URL from a legitimate domain (the AS) that eventually redirects to the actual phishing URL. The actual phishing page doesn't need to target the same authorization server, or an authorization server at all for that matter.
An attacker can register a legitimate app on any authorization server as a service, on their own tenant. The goal is just to have a starting URL that phishing filters won't block, and the attacker is in full control of the redirect URIs they register in their own tenant.

My take: it might be tricky to change the redirect on error behavior at this point, but we should at least note the issue in the security considerations/BCPs and possibly give some advice. For example, on top of my head: AS should expose their endpoints on a domain dedicated to OAuth/OIDC operations, and avoid using its top level domains (different area/service, but think herokuapp.com<https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fherokuapp.com%2F&data=04%7C01%7Cpieter.kasselman%40microsoft.com%7Ccbc8efd229ae4b9617e908d9c1974378%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637753677744175760%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=UKsLcroZJVlu8HPo2lG9oFGeAT5RZsTUcEbhD0pZP8M%3D&reserved=0> vs heroku.com<https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fheroku.com%2F&data=04%7C01%7Cpieter.kasselman%40microsoft.com%7Ccbc8efd229ae4b9617e908d9c1974378%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637753677744175760%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=9hsxq2ZxK%2FwBJTe5RGIFZSTJ0icXcvEiLsBDXhdn8Rk%3D&reserved=0>) so that if a phishing filter decides to block direct links to the issuing endpoints will only impact things like IdP initiated flows (solvable by adding jumpstart endpoints on the RP anyway, just like IdP initiated sign in works in OIDC). I am sure there are lots of other things we can come up with that can make the problem better.

On Fri, Dec 17, 2021 at 5:00 AM Warren Parad <wparad=40rhosys.ch@dmarc.ietf.org<mailto:40rhosys.ch@dmarc.ietf.org>> wrote:
I think this just falls into the category of never redirect the user to a url that doesn't match one of the preregistered redirect urls (or logout urls for that matter). Any application that has redirects anywhere provides an opportunity for this attack vector, OAuth isn't unique in that way, it just is consistent and documented. And the 2.1 draft is pretty clear on this front:

https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-04#section-4.1.2.1<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Fdraft-ietf-oauth-v2-1-04%23section-4.1.2.1&data=04%7C01%7Cpieter.kasselman%40microsoft.com%7Ccbc8efd229ae4b9617e908d9c1974378%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637753677744226186%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=3EUcWa6IS4l67nLHRSP13J0Q0SAgNXCDiO%2B22GSoNLM%3D&reserved=0>
   If the request fails due to a missing, invalid, or mismatching
   redirect URI, or if the client identifier is missing or invalid, the
   authorization server SHOULD inform the resource owner of the error
   and MUST NOT automatically redirect the user agent to the invalid
   redirect URI.

I want to call this attack vector "illegitimate phishing applications" which is easily blocked by preregistration and/or PARs. And is only a very small subset of phishing attacks with OAuth, of which the larger group is "legitimate phishing applications". An app can be registered correctly, and still issue a phishing attack as phishing attacks through OAuth are actually indistinguishable from standard user delegation. There is no way to prevent these without an application review before registration is completed, here's an example that cloned Google apps y creating a fake app called google defender: https://www.trendmicro.com/en_us/research/17/d/pawn-storm-abuses-open-authentication-advanced-social-engineering-attacks.html<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.trendmicro.com%2Fen_us%2Fresearch%2F17%2Fd%2Fpawn-storm-abuses-open-authentication-advanced-social-engineering-attacks.html&data=04%7C01%7Cpieter.kasselman%40microsoft.com%7Ccbc8efd229ae4b9617e908d9c1974378%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637753677744226186%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=iAkKMqOFq9WaCFyO46PmxbPKNEY8Q%2FGrnJ9GMw06EPo%3D&reserved=0>

If we can't protect against these latter ones, I hardly think protecting against the former is useful/interesting/valuable.


[https://lh6.googleusercontent.com/DNiDx1QGIrSqMPKDN1oKevxYuyVRXsqhXdfZOsW56Rf2A74mUKbAPtrJSNw4qynkSjoltWkPYdBhaZJg1BO45YOc1xs6r9KJ1fYsNHogY-nh6hjuIm9GCeBRRzrSc8kWcUSNtuA]

Warren Parad

Founder, CTO
Secure your user data with IAM authorization as a service. Implement Authress<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fauthress.io%2F&data=04%7C01%7Cpieter.kasselman%40microsoft.com%7Ccbc8efd229ae4b9617e908d9c1974378%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637753677744226186%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=HpY3P0HundCwtRQ6yYmnoHLQROHofah%2BZ%2B3EMN2%2FkRk%3D&reserved=0>.


On Thu, Dec 16, 2021 at 9:05 PM Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com<mailto:rifaat.s.ietf@gmail.com>> wrote:

All,



An article was recently published discussing some OAuth Redirection Attacks to try to bypass phishing detection solutions. See the details of these attacks in the following link:



https://www.proofpoint.com/us/blog/cloud-security/microsoft-and-github-oauth-implementation-vulnerabilities-lead-redirection<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.proofpoint.com%2Fus%2Fblog%2Fcloud-security%2Fmicrosoft-and-github-oauth-implementation-vulnerabilities-lead-redirection&data=04%7C01%7Cpieter.kasselman%40microsoft.com%7Ccbc8efd229ae4b9617e908d9c1974378%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637753677744226186%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=w1Ka1ztLdHnvwzngw%2BRbAlgv97RaTxbIYlO%2FSCN2lrc%3D&reserved=0>




The article discusses attacks on Microsoft and GitHub, but these attacks are not unique to these companies.

The attacks take advantage of how OAuth handles error responses, which sends responses to the application's redirect URL.


I would like to get the thoughts of the working group on these types of attacks.

What is the best way to mitigate these attacks?

Do we need a new approach for handling errors with OAuth?


Regards,

 Rifaat

_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Foauth&data=04%7C01%7Cpieter.kasselman%40microsoft.com%7Ccbc8efd229ae4b9617e908d9c1974378%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637753677744226186%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=QlSEfYrRZSkF4Iwfux03kcUyD57bDFTUjJqAYJghayM%3D&reserved=0>
_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Foauth&data=04%7C01%7Cpieter.kasselman%40microsoft.com%7Ccbc8efd229ae4b9617e908d9c1974378%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637753677744226186%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=QlSEfYrRZSkF4Iwfux03kcUyD57bDFTUjJqAYJghayM%3D&reserved=0>