Re: [OAUTH-WG] XARA vulnerability Paper and PKCE

Bill Mills <> Thu, 18 June 2015 18:21 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id E5F191B3344 for <>; Thu, 18 Jun 2015 11:21:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.509
X-Spam-Status: No, score=-1.509 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, FREEMAIL_REPLYTO_END_DIGIT=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 0rmEnSqm8uRS for <>; Thu, 18 Jun 2015 11:21:25 -0700 (PDT)
Received: from ( []) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 4BBA91B3346 for <>; Thu, 18 Jun 2015 11:21:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=s2048; t=1434651659; bh=ceZPMUXg4/Rxo5QvZnsMG47dbb8zWSRnivBUAgxQLfQ=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:From:Subject; b=Vv5p9wplrZkkommoFjGxX4mUmt+uUOzOz0xtm8EcXd50IGKQDJfqzJxkkLQuv6/lU56ovrxtvIN5T3rRY+4Ly/J0rEemdnokW36Cws9XwCtEacODtEneY+HBdff4RoRoN9loJ5BqKGm8iWR7UPVpPATKh8cVWmpO92rQczoo62qHlp0zTBAphop1wclAkNh9CmoAPBnEcrxYvGeGDl9Vy+7NX7RdDUb1nV7VXPvjXll9mkhZzR1tOv4waASa9StXMo5pWPvkGskm2w5UkNIjFHaYx5GKb7Ee16n8HGb8vyFan02xEHxdKofYWLjnH93flxHaBt5suKxb9ElqNd8kLA==
Received: from [] by with NNFMP; 18 Jun 2015 18:20:59 -0000
Received: from [] by with NNFMP; 18 Jun 2015 18:20:59 -0000
Received: from [] by with NNFMP; 18 Jun 2015 18:20:59 -0000
X-Yahoo-Newman-Property: ymail-3
X-YMail-OSG: 3taxQPYVM1mbo6GrF5MwQKXVJNtK0qi.Z6cW.9StMFssntFta7vfkkZdBfXsVr. Qu_YMtDrSA3FF62r8cPRcuXCbnWhpDwR41OpdTC5hq6KFRHU_xsLED3pgiD2FsHQaaZtNBUK6Gws COfjR06T9ZvzUwfb2Jrf_TZm3PdOvBD7HJbErLYAiMPtsreWZj3KI41.3njUTREMjYXiFyw1jDEZ .CI2nZ2GKynrc0Cr.WuqyxbXXB1H__fJxq5250cLo5ud12BFBdMjtsKTzfJhqLK.fb8lFX5O4ADu BAxua3s_ni0Gs87qv.CxvUZJ3QFPmbapMaBmmhRa0.m6FjdksxYTrr_XK440nsyLahBdlrd7HZ0D LBue6B2cDwC6isAQgVKn8MIyvMqoC2PiGlZHzqf5ep1gzK4QsoBA1UZrM33o7OusZps2AFv2WTxH EZCBQl55FjLYCG1WtXj.WynYSHnQgYvO_uCzNATDGeClYu5QZChfzLJs8u_5B2_WJO9ergKKa4UP YuENNvHsJuEQ7z.pFfdsR
Received: by; Thu, 18 Jun 2015 18:20:59 +0000
Date: Thu, 18 Jun 2015 18:20:58 +0000
From: Bill Mills <>
To: John Bradley <>, Nat Sakimura <>
Message-ID: <>
In-Reply-To: <>
References: <>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_Part_1617475_591608839.1434651658664"
Archived-At: <>
Cc: oauth <>
Subject: Re: [OAUTH-WG] XARA vulnerability Paper and PKCE
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: Bill Mills <>
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 18 Jun 2015 18:21:27 -0000

There are other bits of sensitive info that might pass via redirect and be intercepted due to the scheme handler insecurity.  It's not just OAuth or other such tokens, although they are significant. 

     On Thursday, June 18, 2015 10:25 AM, John Bradley <> wrote:

 Passing the FB token between apps on the device is not a real use of the implicit flow, Facebook may be reusing the pattern in an insecure way.
The NAPPS WG at the OIDF recognized that was insecure a long time ago.  We are looking to use the S256 pkce transform to secure similar sorts of on device communication of code between a Oauth proxy on the device and a app.
John B.

On Jun 18, 2015, at 12:25 PM, Nat Sakimura <> wrote:
Yup. Obviously, PKCE is for Code Flow and do not deal with Implicit flow. The best bet probably is stop using Implicit flow for passing tokens around among apps, unless token is capable of being sender confirmed. 
2015-06-18 23:47 GMT+09:00 Bill Mills <>:

PKCE solves a subset of this, but not the general case.  It doesn't solve the FB example in the paper where the FB token is passed between apps locally.
It is a clear win for the OAuth code flow for example though. 

     On Thursday, June 18, 2015 7:31 AM, Nat Sakimura <> wrote:

 Hi OAuthers: 
XARA (Cross App Resource Access) paper was gaining interest here in Japan today because of the Register article[1]. I went over the attack description in the full paper [2]. 
The paper presents four kinds of vulnerabilities.   
   - Password Stealing (Keychain)   

   - Container Cracking (BundleID check bug on the part of Apple App Store)   

   - IPC Interception (a. WebSocket non-authentication, and b. local oauth redirect)    

   - Scheme Hijacking
Of those, 3.b and 4 are relevant to us, and we kind of knew them all the way through. 
These are the target attack that PKCE specifically wants to address, and does address, I believe. 


Nat Sakimura (=nat)Chairman, OpenID Foundation
OAuth mailing list


Nat Sakimura (=nat)Chairman, OpenID Foundation
OAuth mailing list