Re: [OAUTH-WG] Same Origin Method Execution (SOME)

John Bradley <ve7jtb@ve7jtb.com> Wed, 24 June 2015 23:42 UTC

Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D8A031ACC88 for <oauth@ietfa.amsl.com>; Wed, 24 Jun 2015 16:42:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.146
X-Spam-Level:
X-Spam-Status: No, score=-0.146 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FRT_ADOBE2=2.455, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SD6HwkLCOFcq for <oauth@ietfa.amsl.com>; Wed, 24 Jun 2015 16:42:43 -0700 (PDT)
Received: from mail-qk0-f179.google.com (mail-qk0-f179.google.com [209.85.220.179]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EC9A01AC443 for <oauth@ietf.org>; Wed, 24 Jun 2015 16:42:42 -0700 (PDT)
Received: by qkeo142 with SMTP id o142so30233410qke.1 for <oauth@ietf.org>; Wed, 24 Jun 2015 16:42:42 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:content-transfer-encoding:message-id:references :to; bh=zA4Sk+zGrKD1bdlvxJhvRPcb3y8QXRfTYfW69bxIfH4=; b=dWcHRUp0sH4XItWQkUbupvoRU49m5RU3invj5WQ07nFkO32wbpTPSI8wcXQnl3tkr2 fZRzX7Cvn9P9CwRq3P/k/MmboAYtiu/poZCTsnSOF+D91CkbJAeT3I0Xqh5KdqPuK17T 2cRMH1uftKt4Sw28eKkznFZ033/v8bC93A/SNnkjNOLJBGn1s1GdnrIi4iV07J8i1PYA e4r9g3dhi94AwrYBNJBdTfy4IbNtE9UzAUz4uER6//AwSeXWv0TeR0k7dBOLnkhVvj8k 9JSCeG20NL4gJLgu63XOVwQcgG9QTIOwEoMTgmQnNXJdOP2eLU8mFoPbE4Z5ST4ceZ+h Hx2w==
X-Gm-Message-State: ALoCoQmvFhdUuPJO5lB+3QX1azWO+ieT4m/45I5Do53iV08Q4YHFFVCp6FY6Lc59n/KgYlGSk6PM
X-Received: by 10.140.232.131 with SMTP id d125mr58851377qhc.80.1435189362130; Wed, 24 Jun 2015 16:42:42 -0700 (PDT)
Received: from [192.168.1.216] (186-106-160-160.baf.movistar.cl. [186.106.160.160]) by mx.google.com with ESMTPSA id 131sm3971917qhf.14.2015.06.24.16.42.40 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 24 Jun 2015 16:42:41 -0700 (PDT)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2098\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <B1C45938-9B95-4059-8235-0745216DFF60@adobe.com>
Date: Wed, 24 Jun 2015 20:42:36 -0300
Content-Transfer-Encoding: quoted-printable
Message-Id: <DACC2E36-E0E1-47C9-BC8F-CDEB1C13939D@ve7jtb.com>
References: <B1C45938-9B95-4059-8235-0745216DFF60@adobe.com>
To: Antonio Sanso <asanso@adobe.com>
X-Mailer: Apple Mail (2.2098)
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/6XM-TnKL2mn02XqqyBdI-2Ge2GM>
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Same Origin Method Execution (SOME)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Jun 2015 23:42:45 -0000

Thanks for the info,

As I read it, this is an attack on Java Script callbacks. 

The information tying it to OAuth is not clear.

Is the issue relating to JS people using the implicit flow and the JS loaded from the client somehow being vulnerable?

Or is this happening in the JS after authorization in calls to other resources from the same origin, and it is just coincidence that people are using OAuth.

Understanding if there is any Oauth specific advice to give would be helpful.   I see there are ways to prevent the SOME exploit.

Regards
John B.


> On Jun 24, 2015, at 4:18 PM, Antonio Sanso <asanso@adobe.com> wrote:
> 
> hi *, just sharing.
> 
> Not directly related to OAuth per se but it exploits several OAuth client endpoints due to some common developers pattern http://www.benhayak.com/2015/06/same-origin-method-execution-some.html (concrete example in http://www.benhayak.com/2015/05/stealing-private-photo-albums-from-Google.html)
> 
> regards
> 
> antonio
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth