[OAUTH-WG] WRAP session fixation?

Brian Eaton <beaton@google.com> Wed, 25 November 2009 01:28 UTC

Return-Path: <beaton@google.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost []) by core3.amsl.com (Postfix) with ESMTP id C088B3A6828 for <oauth@core3.amsl.com>; Tue, 24 Nov 2009 17:28:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.977
X-Spam-Status: No, score=-105.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([]) by localhost (core3.amsl.com []) (amavisd-new, port 10024) with ESMTP id YIJWzO7HI2h6 for <oauth@core3.amsl.com>; Tue, 24 Nov 2009 17:28:52 -0800 (PST)
Received: from smtp-out.google.com (smtp-out.google.com []) by core3.amsl.com (Postfix) with ESMTP id E819F3A63D3 for <oauth@ietf.org>; Tue, 24 Nov 2009 17:28:51 -0800 (PST)
Received: from wpaz33.hot.corp.google.com (wpaz33.hot.corp.google.com []) by smtp-out.google.com with ESMTP id nAP1SkoU029534 for <oauth@ietf.org>; Tue, 24 Nov 2009 17:28:47 -0800
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1259112527; bh=xTJ1cgZHqCmQ6jxekMXmoNAA6TE=; h=MIME-Version:Date:Message-ID:Subject:From:To:Cc:Content-Type; b=jKR+xKCpekxMQhdL8x88vlcyEpLgqZ8rFuyxRBlOxNiBxedMVF/HSedNKy36iBpk2 9tf8gAcSXHlrOp4k3ryrA==
DomainKey-Signature: a=rsa-sha1; s=beta; d=google.com; c=nofws; q=dns; h=mime-version:date:message-id:subject:from:to:cc: content-type:x-system-of-record; b=ER4AVHyEC4lzVXlDaaBwmhZ+uTSKO8ImzSzee8bi1GQn8Lbt15vT0ow40r1J5LDlE VD4Zx1/Gabgu2/4kwiaQA==
Received: from pxi8 (pxi8.prod.google.com []) by wpaz33.hot.corp.google.com with ESMTP id nAP1SfLi006278 for <oauth@ietf.org>; Tue, 24 Nov 2009 17:28:41 -0800
Received: by pxi8 with SMTP id 8so5597712pxi.27 for <oauth@ietf.org>; Tue, 24 Nov 2009 17:28:41 -0800 (PST)
MIME-Version: 1.0
Received: by with SMTP id w16mr449400rvf.252.1259112521365; Tue, 24 Nov 2009 17:28:41 -0800 (PST)
Date: Tue, 24 Nov 2009 17:28:41 -0800
Message-ID: <daf5b9570911241728h7bfc36e2w517cf85448ae492a@mail.gmail.com>
From: Brian Eaton <beaton@google.com>
To: Mike Malone <mjmalone@gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
X-System-Of-Record: true
Cc: Naitik Shah <naitik@facebook.com>, Luke Shepard <lshepard@facebook.com>, Brent Goldman <brent@facebook.com>, "oauth@ietf.org" <oauth@ietf.org>
Subject: [OAUTH-WG] WRAP session fixation?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Nov 2009 01:28:52 -0000

On Tue, Nov 24, 2009 at 4:35 PM, Mike Malone <mjmalone@gmail.com> wrote:
> One final note - unless I'm missing something WRAP is vulnerable to
> the same session fixation attack that OAuth 1.0 had... unless it's
> requiring callback registration, which is a really lame solution to
> that problem.

Callback registration is not required to prevent session fixation.
Check out the requirements in section 5.4.6 "Successful Access Token
Response From Authorization Server."  They are (supposed to) be
sufficient to prevent the attack.