IETF Logo Mail Archive

Re: [OAUTH-WG] [EXTERNAL] Re: Device Authorization Grant and Illicit Consent Exploits

George Fletcher <gffletch@aol.com> Thu, 24 March 2022 01:10 UTC

Return-Path: <gffletch@aol.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2B7183A077C for <oauth@ietfa.amsl.com>; Wed, 23 Mar 2022 18:10:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.109
X-Spam-Level:
X-Spam-Status: No, score=-2.109 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=aol.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3htN7FIr1pdu for <oauth@ietfa.amsl.com>; Wed, 23 Mar 2022 18:10:04 -0700 (PDT)
Received: from sonic306-22.consmr.mail.ne1.yahoo.com (sonic306-22.consmr.mail.ne1.yahoo.com [66.163.189.84]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 646723A0780 for <oauth@ietf.org>; Wed, 23 Mar 2022 18:10:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aol.com; s=a2048; t=1648084200; bh=dLzL8vSDHJcu/0JbEFKsfXZV9lcDRuc+YYJpbohPjuo=; h=Date:Subject:To:References:From:In-Reply-To:From:Subject:Reply-To; b=Js5nbz51vYg8ibHFn9sNYk0N52oFOcEjzonGjjJD+Tg+AnlxGl97jfUZyoYek3o7ibeFGNaaKtH8RZ/2FADU9lxRZOpmYhya9LwN8CCfTY9Ncmcl8DeXr+UpksJKDT8Vgw3QEeOWXpjhjiPa/knn5v+a0bBLcBa0QmkZPH6gyedG9WZYrBaHSFX9XqFvERPq9fe04X2qeET9itWHkZcogJinPOI2nRWMgaM5a4IsFUVQ37JOAaPumYcSSJ6BjiHS6Dn/QWtDRQjGfPAFqCjCwalol4Q2jcIsNwELDkL1pUFdgOtymyypYQ9reGWfkWTQ10p8g6H4vS8kEaPcUJAidA==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1648084200; bh=hSngCZkWfm20iJWdROrCh6TMxi7qVkACNJNaj/dsFhZ=; h=X-Sonic-MF:Date:Subject:To:From:From:Subject; b=T04uhbNi/pET8zuvnEmwINGhRTY4scTufQQe3GMoIQ6wicZMzhjSDwaquTHVZbH5+IIUc540+PHueGUzIhLbhobBkbQVVZcHcKIEt6MlRLDblnKG3aj3Mwv79opXd/IRIccjGSIlL4ES2o18lXbMt1CVfvVVAIM14qoYHybPZSTy5KRKyNkoA9yw2YcaR0RimKyKgYdmjZl8PH5FJTTzHek3z+PYR+jNXAJLHuUonTzRJBj9gU3Xa85A9C5V2kzgHqbeM2PvabpiJbYCBq5wuz7dmNTqUDOEejBtvQK1mTL5YdkyuMzVm/eP/zxOqewz2CIPap58sxtTtzj3xzlE9w==
X-YMail-OSG: DWC6TvcVM1mEbIibC7JR894amAP4qqtiCY5su_Ajl7jEKgCPrPNOlEsWry79oI2 _bMETPtb4hUffPxmtHXm7q7SMXI8hDKFqEUH4L7YTK7UBbICMcOALPIREoL.vRKSRwFIUp_i_N8S Tra4koz2TDp82T1uqnqm5SlkTL1e_JqViwP7n1cLS81InDGLouaC9IsngdOoXfwHZmuQVyggZo.u baiVMQAoImhhBcY71LU5H.YmKq.YN0u6zt_eRCkqdcPCt9H8HDnT1uUdfFJdtT1TGEGGx7hQ_u1f SuRMyVgGFB._kIFM1ELNc8O5X0iH7xxmr35r8xirmEhnz1UmPT_Vi66DOPX7tyGgUbIcSoOv3bWV BcLQQZAGcca4j9Id0MnZztq6WtOU90HT1DQ5TugHIVCfrRwAr6RGmBJw.0wAHKgHGXZ3eeTYoYpN rf2bY.oTdhaZdr4RpBPlQKpmHUFkpx1U8Lt4ksXS5.Ac.thW2KeO_YZgectMvQRGDyc_1n6XXtyW bkKfyYH_cBOebJ0FSR5sSPJOpTDA1hof5bxRJVJgvFtEtmzjqQzMO8dhhhFQM42IjxG2VRJtXVX3 9NbeLqjEybKmsltQGURjORzPGX0Wmp0NMI7j.8FwPglXlgGZMM7E4HdlWkEbCSBIX5uC.rvvP2ec Y27Ve1HL1uuXbjIdIgP72ZEhm1AzrOxhowNqxp9MUdJ8NFCwC7iOnOBj.hXflLlYT5udpSMM_tFq Hzd4IZd45eQzOHZPbE_v1qHGvhONgFsXtbU9QO5sAPDJnbf21JOYG5yNPG37APbDnA9AJTS32N7v qm8Pseah68vlY_qR2nOYNGie4r_HjrbEVFWn8LMwDyEwpzKYVtdOqh8BL.mSfJozx0V_t51wVzC8 bu.8xp4LSN1iWM8.2ztbOmUKT6fEFnhNzljXw2WWwfXTB9PG.WHl5f9LDgZQ.69FhjjV4XgJlYXz igpc6.poNs6.Q.O20jkSZRCi7lwTVMr1Vgehj64g8api3OX.TVzSZR6bILE_vvqoxGiKUCY3ucSc e1ys0crXaQKSvBnCcDUBvzMq7hoQPFX.7vZw9RD22_caIWYImi4698wZ3HyCQes73jwEtQvNdIE3 MkEoic6PtGIPrstfTN8rYgXz18wOwlRKTQkLwnoTXsCbiBrZ8e5htcv1zrxGcf6Koe5URmXvW3Ws bgmeqicpLeyCjRWxA7U5JCi8v5RKg30OjoXLQFNzrr_te_imCMUfsJx632t09NFEmPPrh2MRo_3B A6MZsStS9p8TCM_oQXtVM0T2jOjTt8NG_IwcQ1SyKiQgbEzyh3V0qGOHPmPDnNe5fGA1N8QdACL4 bQomMVRIJiFmsFql85buY2FaZJTa9Jrij4Bf9NTTXRK6oVmcE5CtXNqbRd087_PKXTg306hTIfmT ssHN2fhmPmKLCv7hlErI3eU3qI_Q0cGwp9ACb2MsruI6seEMbipUKuq.QZ9_vIaRA5jz5Wat42Vr R8MirOgImNmHUBkl820Rextu37QZGKWzEhWeCYE4jWAxusQYKmu9yzSI6FVTLjDbaNg9qV7LQ6vR 71XoJ3fxlb_ZbrrdL94TWlwb1ttmYQITYcCT0CcthZWpN99YnjJ8jzMgeSGvT59vRQp2r9sFZF2G 7noCERcrLI_WGk0j05xGNacGmWGq1ztzaMyQ36jp.6WB6RWLgQRebxFxjkzUumNb9Vf5ZmFL7kga 81DEFIuEv.5Xa_eMSqCU.2Bw_13w7Sj0E0CJpaiG1muPkhXKXSQ2imuswVIROnCci64mqReSgOei ewRufB1JmcaddDHysSmwQ_Eq2sNmPLm3qFnFX7Z2ckr9nBpAnzggFPm51_KzOzWO7xPzUQRg3mxi JIewP.bM0UxWYNbnsBIFT4QKBUqyUfEyyKolrG8QhNRPLZlQidy1MQQl7LUxG0t9La_WGT3y918m 8P2XLeOU2Dh47TMaP74XaAo5X2QR0eh64MLHdKBKSBTlZCMYNFNRRiIZFPyWnz42C3.7DY9Al.Wn 69NUGJpDRxm5IiKo6ANMMAuY.2oUHT3v8uxGFgXybgaAfcVLuE8K9IkZ2wlgpBPVbKaGRHEyOo4W z1ksMheG3xHTPNr4hq4FhNDYeb.Ptkvt_2JgGEcVzWjpknAa3XD7VEGNZnSshdtyJzc_Llc8eoas gzHTOGGBsit.lhvIMWElaQMUpHA5kEa9ujwym5mVYhGZ1sq.1rDchJRZyLzHscZLh9XddoVLSoLr Ux1vY5N5_c4o-
X-Sonic-MF: <gffletch@aol.com>
Received: from sonic.gate.mail.ne1.yahoo.com by sonic306.consmr.mail.ne1.yahoo.com with HTTP; Thu, 24 Mar 2022 01:10:00 +0000
Received: by hermes--canary-production-bf1-665cdb9985-tmblj (VZM Hermes SMTP Server) with ESMTPA ID bec934da4975e51764ce273ace0f63c5; Thu, 24 Mar 2022 01:09:54 +0000 (UTC)
Content-Type: multipart/alternative; boundary="------------Y12CwTDvnDvnloZuDaspg4Ay"
Message-ID: <ca159e1d-ab58-4eb8-9171-e0aa0dfab9fe@aol.com>
Date: Wed, 23 Mar 2022 21:09:51 -0400
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Thunderbird/91.7.0
Content-Language: en-US
To: Pieter Kasselman <pieter.kasselman=40microsoft.com@dmarc.ietf.org>, Brock Allen <brockallen@gmail.com>, "oauth@ietf.org" <oauth@ietf.org>
References: <AM7PR83MB0452287B78E5B4780304F45891129@AM7PR83MB0452.EURPRD83.prod.outlook.com> <Mailbird-07e64951-c8a3-4cf0-853d-2ac710d77abd@gmail.com> <AM7PR83MB0452C946A20D116F13D7F28E91139@AM7PR83MB0452.EURPRD83.prod.outlook.com>
From: George Fletcher <gffletch@aol.com>
Organization: AOL LLC
In-Reply-To: <AM7PR83MB0452C946A20D116F13D7F28E91139@AM7PR83MB0452.EURPRD83.prod.outlook.com>
X-Mailer: WebService/1.1.19987 mail.backend.jedi.jws.acl:role.jedi.acl.token.atz.jws.hermes.aol
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/87FG9AEpHJJlhNqZE_QAyqKC_N0>
Subject: Re: [OAUTH-WG] [EXTERNAL] Re: Device Authorization Grant and Illicit Consent Exploits
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Mar 2022 01:10:09 -0000

I just want to make a quick comment on the use of "proximity and 
location information". I used the device flow to authorize my son's 
device by having him text me the code so I could login on my device (in 
a different state) and provide his device access. If we close the door 
too much we will potentially impact good users :)

I agree that consent can be socially engineered... but think that it 
would be useful to improve that information so that the user 
authenticating to provide authorization could know where the device 
their authorizing is located. That could help users detecting that they 
are authorizing a device in a location that doesn't make sense to them.

Thanks,
George

On 3/18/22 8:21 AM, Pieter Kasselman wrote:
>
> Hi Brock
>
> Great point, and I would agree that better consent screens could help, 
> but I don’t think it is sufficient.
>
> One of the challenges with consent screens is that it makes 
> assumptions about the users abilities when they are being asked to 
> make decisions about things they do not fully appreciate or 
> understand. In addition, they are in a rush, are often trying to be 
> helpful and prone to grant consent (the framing in these social 
> engineering attacks can be very persuasive). Even users who are aware 
> of these exploits and understand the systems they interact with are 
> prone to be misled. Better guidance on the consent screen is 
> definitely something we should provide.
>
> I do think there is a defence in depth strategy that can reduce risk 
> by (1) avoiding asking the user for a decision by making back-end risk 
> decisions (2) augmenting the information presented to the user when 
> making the decisions and (3) mitigating against a decision made in error.
>
> Proximity and location information can for instance be used to bind 
> user codes to specific locations or inform the user on where the user 
> code was first presented, device status and/or location may be used to 
> make decisions on whether to allow device code flows to be used in the 
> first place and use of token binding (e.g. DPoP) may help defend 
> against attackers who are able to exfiltrate tokens from a device and 
> make lateral attacks.
>
> Anything we can do to encourage implementor to ask users to make fewer 
> decision, help them make better decisions and then protecting them in 
> case of a bad decision will help drive down risk.
>
> Cheers
>
> Pieter
>
> *From:*Brock Allen <brockallen@gmail.com>
> *Sent:* Thursday 17 March 2022 21:25
> *To:* Pieter Kasselman <pieter.kasselman@microsoft.com>; oauth@ietf.org
> *Subject:* [EXTERNAL] Re: [OAUTH-WG] Device Authorization Grant and 
> Illicit Consent Exploits
>
> I watched one of those videos and it seems to be that a proper consent 
> screen would have been the best and easiest line of defense. Is there 
> something more to the attacks where a better consent page (or any 
> consent page for that matter) would not have been sufficient?
>
> -Brock
>
>     On 3/17/2022 5:10:35 PM, Pieter Kasselman
>     <pieter.kasselman=40microsoft.com@dmarc.ietf.org> wrote:
>
>     Hi All
>
>     One of the agenda items for IETF 113 is the device authorization
>     grant flow (aka device code flow), scheduled for Thursday 24 March
>     2022.  Before the meeting, I wanted to share a bit more
>     information for those interested in the topic and also give those
>     who are unable to attend in person an opportunity to participate
>     in the conversation.
>
>     The Device Authorization Grant Flow (RFC 8682)
>     <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Frfc8628&data=04%7C01%7Cpieter.kasselman%40microsoft.com%7Cdab129df96fb4fe03c7908da085c8dae%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637831490884440262%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=EswcNYKNZWEAWLBuOvQytd8TMlgpgUxIk0E%2FlfKkRIk%3D&reserved=0>solves
>     an important problem by enabling authorization flows on devices
>     that are unable to support a browsers or have limited input
>     capabilities. However, looking back over the past 18-24 months,
>     there have been a number of practical exploits published that use
>     social engineering techniques applied to the device authorization
>     grant flow.
>
>     The goal of the session at IETF 113 is to discuss the patterns of
>     the exploits that are known and start a conversation on what (if
>     anything) we should do, based on what we are learning.
>
>     These exploits follow a general man-in-the-middle (MITM) pattern,
>     where the attacker:
>
>      1. Initiates the Device Authorization Grant flow on a device
>         under their control,
>      2. Presents the user code in a context that the end-user is
>         likely to act on (using social engineering techniques), and
>      3. Once the user grants access, retrieves the access and refresh
>         tokens and uses them to access the user’s resources.
>
>     Some of the exploits are described here for those interested in
>     more detail:
>
>      1. The Art of the Device Code Phish - Boku (0xboku.com)
>         <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2F0xboku.com%2F2021%2F07%2F12%2FArtOfDeviceCodePhish.html&data=04%7C01%7Cpieter.kasselman%40microsoft.com%7Cdab129df96fb4fe03c7908da085c8dae%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637831490884440262%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=%2B71AMxS1m4aBTrX8e76UiXs%2Fa%2F22dfxen1pI9Ln17Ig%3D&reserved=0>
>      2. Microsoft 365 OAuth Device Code Flow and Phishing | Optiv
>         <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.optiv.com%2Finsights%2Fsource-zero%2Fblog%2Fmicrosoft-365-oauth-device-code-flow-and-phishing&data=04%7C01%7Cpieter.kasselman%40microsoft.com%7Cdab129df96fb4fe03c7908da085c8dae%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637831490884440262%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=I6tnZsOgj6fl9aYbfXe98wKf%2B5M7X%2FHEu8Umn3cui7Q%3D&reserved=0>
>
>          1. optiv/Microsoft365_devicePhish: A proof-of-concept script
>             to conduct a phishing attack abusing Microsoft 365 OAuth
>             Authorization Flow (github.com)
>             <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Foptiv%2FMicrosoft365_devicePhish&data=04%7C01%7Cpieter.kasselman%40microsoft.com%7Cdab129df96fb4fe03c7908da085c8dae%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637831490884440262%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=hVXdTbLAkdBXAepI26qG5J3poSzquok1sgUwdLGPNTg%3D&reserved=0>
>
>      3. Introducing a new phishing technique for compromising Office
>         365 accounts (o365blog.com)
>         <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fo365blog.com%2Fpost%2Fphishing%2F%23new-phishing-technique-device-code-authentication&data=04%7C01%7Cpieter.kasselman%40microsoft.com%7Cdab129df96fb4fe03c7908da085c8dae%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637831490884490234%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=KXDXJ8dDBdKxT72jIl8pa2BksAXiKc8N0%2F0NThYiN5Q%3D&reserved=0>
>      4. DEF CON 29 - Jenko Hwong - New Phishing Attacks Exploiting
>         OAuth Authentication Flows - YouTube
>         <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3D9slRYvpKHp4&data=04%7C01%7Cpieter.kasselman%40microsoft.com%7Cdab129df96fb4fe03c7908da085c8dae%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637831490884490234%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=KWmBAf3pYGdVzT6LeNhgT7t%2BybfnFdGMVJxLbDrD5vo%3D&reserved=0>
>
>     In terms of a response, there are a few options that come to mind
>     (these are not exhaustive, I would love to see what others have in
>     mind as well):
>
>      1. Do nothing: We can choose to leave everything as is. The
>         downside of this is that the lessons we are learning are not
>         getting disseminated or resulting in reduced risks.
>      2. Update the recommendations: We can document the social
>         engineering exploits and recommend some additional mitigations
>         as well as recommendations in terms of use cases. Although
>         these types of "phishing"/social engineering attacks are
>         called out in the security considerations in RFC 8628 - OAuth
>         2.0 Device Authorization Grant
>         <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Frfc8628&data=04%7C01%7Cpieter.kasselman%40microsoft.com%7Cdab129df96fb4fe03c7908da085c8dae%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637831490884490234%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=6YYkNcG2GC32KSDdWU792bkXnr6GQaRen%2F02560aSRA%3D&reserved=0>,
>         we can add further mitigations to create greater defence in
>         depth. This will help future implementers and may even be
>         useful for future protocols that rely on a similar
>         cross-device authentication and authorization flows.
>      3. Explore alternatives: Develop, adopt, or evolve new protocols
>         that address the scenario while mitigating or avoiding the risks.
>
>     Option A does not do much to improve the state of the art. Option
>     B feels like something we can do now, and we may learn something
>     along the way that can help inform Option C, which may be much
>     further down the road and require more research. What other
>     options come to mind?
>
>     I’m looking forward to the conversation and hearing what others
>     are thinking about this topic.
>
>     Cheers,
>
>     Pieter
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email