[OAUTH-WG] XARA vulnerability Paper and PKCE

Nat Sakimura <sakimura@gmail.com> Thu, 18 June 2015 14:06 UTC

Return-Path: <sakimura@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id 49B571B31DD for <oauth@ietfa.amsl.com>; Thu, 18 Jun 2015 07:06:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.701
X-Spam-Status: No, score=0.701 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id CpuZ5tmJUr9M for <oauth@ietfa.amsl.com>; Thu, 18 Jun 2015 07:06:04 -0700 (PDT)
Received: from mail-ob0-x22a.google.com (mail-ob0-x22a.google.com [IPv6:2607:f8b0:4003:c01::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AC92B1B31B2 for <oauth@ietf.org>; Thu, 18 Jun 2015 07:06:04 -0700 (PDT)
Received: by obbsn1 with SMTP id sn1so54672396obb.1 for <oauth@ietf.org>; Thu, 18 Jun 2015 07:06:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=Mm0BsU65YKJExQcjGh3UzmwS8MFCTpx7fLUsnE87xDs=; b=JAlp8Vawm1TxEgq1PghLdFH9EySoLYm2EUWA4Fkikpuj2b2u6T4xcl7Fc/hfOUA7vP /xxseY+Dgnb+nauz7c5rr3DyJWf9TzpJwhQIekROqY1lxCTACVjeoYcD40VgIa/aE2Lm wa+mie7MYAMtfO1TfkLpAaNhbLvBDjEDb3WO1weys/ub6/u5kUz92+4oLCjaHGwTfwp0 2HwTWfJ15B2BRQVtlxeDw0r6z6UyTYzBEfSZhVX9DBkHT+Gy+qzfP0XRyA1skYfHoF3V LBHqTWQsqXZoMI4aW7rWNGchBAk9Mlc9hhWXhR91NcnZ0qorUmmymjRdmk/EtQhbQccs ZbRA==
MIME-Version: 1.0
X-Received: by with SMTP id jp1mr9233055obb.53.1434636364138; Thu, 18 Jun 2015 07:06:04 -0700 (PDT)
Received: by with HTTP; Thu, 18 Jun 2015 07:06:04 -0700 (PDT)
Date: Thu, 18 Jun 2015 23:06:04 +0900
Message-ID: <CABzCy2Dj3O6vqozkhj=cFQ4QUisNQjAa9zQbEccwOrvsXZjRdQ@mail.gmail.com>
From: Nat Sakimura <sakimura@gmail.com>
To: oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary=089e01182cf2ddd0c80518cb4e1a
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/8g1PcEPdmiyZpTTyCODojpbQXdI>
Subject: [OAUTH-WG] XARA vulnerability Paper and PKCE
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Jun 2015 14:06:06 -0000

Hi OAuthers:

XARA (Cross App Resource Access) paper was gaining interest here in Japan
today because of the Register article[1].
I went over the attack description in the full paper [2].
The paper presents four kinds of vulnerabilities.

   1. Password Stealing (Keychain)
   2. Container Cracking (BundleID check bug on the part of Apple App Store)
   3. IPC Interception (a. WebSocket non-authentication, and b. local oauth
   4. Scheme Hijacking

Of those, 3.b and 4 are relevant to us, and we kind of knew them all the
way through.
These are the target attack that PKCE specifically wants to address, and
does address, I believe.

[2] https://sites.google.com/site/xaraflaws/

Nat Sakimura (=nat)
Chairman, OpenID Foundation