Re: [OAUTH-WG] A Scope Attack against OAuth 2.0
Shane B Weeden <sweeden@au1.ibm.com> Sat, 18 February 2012 21:18 UTC
Return-Path: <sweeden@au1.ibm.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B846721F8512 for <oauth@ietfa.amsl.com>; Sat, 18 Feb 2012 13:18:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.556
X-Spam-Level:
X-Spam-Status: No, score=-6.556 tagged_above=-999 required=5 tests=[AWL=-0.042, BAYES_00=-2.599, DATE_IN_PAST_03_06=0.044, MIME_BASE64_BLANKS=0.041, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DuofUnMmGh8k for <oauth@ietfa.amsl.com>; Sat, 18 Feb 2012 13:18:32 -0800 (PST)
Received: from e23smtp02.au.ibm.com (e23smtp02.au.ibm.com [202.81.31.144]) by ietfa.amsl.com (Postfix) with ESMTP id CCC4521F8508 for <oauth@ietf.org>; Sat, 18 Feb 2012 13:18:30 -0800 (PST)
Received: from /spool/local by e23smtp02.au.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for <oauth@ietf.org> from <sweeden@au1.ibm.com>; Sat, 18 Feb 2012 21:02:18 +1000
Received: from d23relay05.au.ibm.com (202.81.31.247) by e23smtp02.au.ibm.com (202.81.31.208) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Sat, 18 Feb 2012 21:01:34 +1000
Received: from d23av02.au.ibm.com (d23av02.au.ibm.com [9.190.235.138]) by d23relay05.au.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id q1ILCJbs3264622; Sun, 19 Feb 2012 08:12:19 +1100
Received: from d23av02.au.ibm.com (loopback [127.0.0.1]) by d23av02.au.ibm.com (8.14.4/8.13.1/NCO v10.0 AVout) with ESMTP id q1ILHZYG010887; Sun, 19 Feb 2012 08:17:35 +1100
Received: from d23ml004.au.ibm.com (d23ml004.au.ibm.com [9.190.250.23]) by d23av02.au.ibm.com (8.14.4/8.13.1/NCO v10.0 AVin) with ESMTP id q1ILHYT6010878; Sun, 19 Feb 2012 08:17:34 +1100
In-Reply-To: <CAGmQQ9eorSS8jWgHZzw_Bq6Eb4Qj+fZ0NUuQx_KJwC_rasUCnA@mail.gmail.com>
References: <CAGmQQ9eorSS8jWgHZzw_Bq6Eb4Qj+fZ0NUuQx_KJwC_rasUCnA@mail.gmail.com>
X-KeepSent: 7789D618:84BDC5CF-4A2579A8:0023CB58; type=4; name=$KeepSent
To: Wenjie Lin <lin.820@osu.edu>
X-Mailer: Lotus Notes Release 8.5.1FP5 SHF29 November 12, 2010
Message-ID: <OF7789D618.84BDC5CF-ON4A2579A8.0023CB58-4A2579A8.0024278F@au1.ibm.com>
From: Shane B Weeden <sweeden@au1.ibm.com>
Date: Sat, 18 Feb 2012 16:34:54 +1000
X-MIMETrack: Serialize by Router on d23ml004/23/M/IBM(Release 8.5.2FP1HF437 | June 7, 2011) at 19/02/2012 08:21:44
MIME-Version: 1.0
Content-type: text/plain; charset="UTF-8"
Content-transfer-encoding: base64
x-cbid: 12021811-5490-0000-0000-000000C39648
Cc: oauth@ietf.org, oauth-bounces@ietf.org
Subject: Re: [OAUTH-WG] A Scope Attack against OAuth 2.0
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 18 Feb 2012 21:18:33 -0000
I agree with others - this is not an attack on the protocol. The user has the choice about which scope to grant and the client's redirect to the authorization endpoint is only a request for a particular set of permissions, not a guarantee that it will get them. The user+authorization server decide which scope is actually granted. The client needs to handle cases where that differs from what it originally wanted. From: Wenjie Lin <lin.820@osu.edu> To: oauth@ietf.org Date: 18/02/2012 12:12 PM Subject: [OAUTH-WG] A Scope Attack against OAuth 2.0 Sent by: oauth-bounces@ietf.org We describe an attack on OAuth 2.0 (draft-ietf-oauth-v2-23), called scope attack, provide a live-demo of the attack on Facebook, and propose a fix with discussions. Scope Attack OAuth authorization of services is associated with service agreement scope. For instance, Client provides an online game to User with a service agreement scope A: User authorizes Client to access his profile information and to post messages on his behalf. A malicious User can request for online game with service agreement scope A, manipulate the scope field, and change it to scope B: User authorizes Client to access his profile information. User can still play the games, yet Client can’t post messages on User’s behalf, as originally agreed. OAuth 2.0 authorization code grant and implicit grant are vulnerable to the scope attack. A Scope Attack Scenario (1) Authorization Server: Facebook (authorization code grant) (2) Client: Online gaming company Game. It allows User to play the games with the service agreement scope A: User authorizes Game to access his profile information and post messages on his behalf. (3) User: malicious User with an account at Facebook. He attempts to play the games yet without authorizing Game to post messages on his behalf, that is, he changes the scope from A to B: authorization of Client to access his profile information only. Attack Workflow (1) User requests Game (Client) for permission to play games, instantiating OAuth 2.0 with scope A. (2) Game generates an authorization request with a scope specification A, and redirects User to Facebook with the request. (3) User manipulates the scope field and changes it to scope B. The modified request is then sent to Facebook. (4) User grants the modified request. (5) Facebook redirects User back to Game with the authorization code. (6) Game exchanges the authorization code for an access token. However it has no knowledge that the scope A has been changed to scope B. (7) Game provides online gaming service to User. However, Game can’t post messages on User’s Facebook page. A Live-Demo: Facebook and CastleVille (IE and Safari tested) Step 1: Login Facebook and visit Facebook Apps and Game page https://www.facebook.com/games Step 2: Click CastleVille. Step 3: When you see the Request for Permission page, instead of clicking “Allow”, change the scope field in the URL from your browser from “scope=email%2Cpublish_stream%2Cpublish_actions” to “scope=email%2Cpublish_stream”. Step 4: After the modification, press ENTER to send the modified request to Facebook. Now you will see the modified Request of Permission page. Step 5: Click on “Allow” button and enjoy the game. (video: http://www.youtube.com/watch?v=zkmjLa3VU9w) Impact Client provides services to malicious User yet with the modified service agreement scope by User’s design. Manipulating Scope Field The scope field in access token response is required ONLY IF Authorization Server observes that the User authorized scope is different than the original scope. Consequently, User can manipulate the scope field so that Authorization Server cannot detect the change of the scope. As a result Client provides the services yet can’t obtain the information that is specified in the scope of the original service agreement. Client can verify the service agreement scope by checking all the fields against the original User request before providing the requested services to User. For instance, Client can verify the granted permissions if Authorization Server (e.g. Facebook) provides an API. However, this is out of the scope of OAuth 2.0, and Client may not check it. We observe: all top five games recommended by Facebook are vulnerable to the scope attack. Proposed Fix Draft-ietf-oauth-v2-23 Section 5.1: Change from “scope OPTIONAL, if identical to the scope requested by the client, otherwise REQUIRED.” to “scope REQUIRED” /* scope: User authorized scope */ Remarks (1) The proof of the correctness of OAuth with our proposed fix will be published in an article: “OAuth 2.0 – Attacks, Fixes, Correctness, and Generalizations, Wenjie Lin, David Lee and Steve Lai, to appear”. (2) The implicit grant is also vulnerable to the scope attack. However it cannot be fixed by enforcing scope field in access token response as above; User can change the scope in response before being redirected to Client. Wenjie Lin, The Ohio State University David Lee, HP Labs and The Ohio State University Steve Lai, The Ohio State University _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] A Scope Attack against OAuth 2.0 Wenjie Lin
- Re: [OAUTH-WG] A Scope Attack against OAuth 2.0 William Mills
- Re: [OAUTH-WG] A Scope Attack against OAuth 2.0 Dick Hardt
- Re: [OAUTH-WG] A Scope Attack against OAuth 2.0 André DeMarre
- Re: [OAUTH-WG] A Scope Attack against OAuth 2.0 Shane B Weeden
- Re: [OAUTH-WG] A Scope Attack against OAuth 2.0 John Bradley
- Re: [OAUTH-WG] A Scope Attack against OAuth 2.0 Wenjie Lin
- Re: [OAUTH-WG] A Scope Attack against OAuth 2.0 William Mills
- Re: [OAUTH-WG] A Scope Attack against OAuth 2.0 André DeMarre
- Re: [OAUTH-WG] A Scope Attack against OAuth 2.0 Wenjie Lin
- Re: [OAUTH-WG] A Scope Attack against OAuth 2.0 Wenjie Lin
- Re: [OAUTH-WG] A Scope Attack against OAuth 2.0 William Mills
- Re: [OAUTH-WG] A Scope Attack against OAuth 2.0 John Bradley
- Re: [OAUTH-WG] A Scope Attack against OAuth 2.0 Nicholas Devenish
- Re: [OAUTH-WG] A Scope Attack against OAuth 2.0 John Bradley
- Re: [OAUTH-WG] A Scope Attack against OAuth 2.0 André DeMarre
- Re: [OAUTH-WG] A Scope Attack against OAuth 2.0 André DeMarre
- Re: [OAUTH-WG] A Scope Attack against OAuth 2.0 John Bradley
- Re: [OAUTH-WG] A Scope Attack against OAuth 2.0 Wenjie Lin
- Re: [OAUTH-WG] A Scope Attack against OAuth 2.0 Phil Hunt
- Re: [OAUTH-WG] A Scope Attack against OAuth 2.0 Kristoph
- Re: [OAUTH-WG] A Scope Attack against OAuth 2.0 Wenjie Lin
- Re: [OAUTH-WG] A Scope Attack against OAuth 2.0 Nicholas Devenish
- Re: [OAUTH-WG] A Scope Attack against OAuth 2.0 John Bradley
- Re: [OAUTH-WG] A Scope Attack against OAuth 2.0 Dan Taflin