Re: [OAUTH-WG] OAuth2 attack surface....

John Bradley <ve7jtb@ve7jtb.com> Mon, 25 February 2013 23:18 UTC

Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8ADC821E80DA for <oauth@ietfa.amsl.com>; Mon, 25 Feb 2013 15:18:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.598
X-Spam-Level:
X-Spam-Status: No, score=-3.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NCXPRdeUHPdO for <oauth@ietfa.amsl.com>; Mon, 25 Feb 2013 15:18:32 -0800 (PST)
Received: from mail-da0-f42.google.com (mail-da0-f42.google.com [209.85.210.42]) by ietfa.amsl.com (Postfix) with ESMTP id 746CF21E80E2 for <oauth@ietf.org>; Mon, 25 Feb 2013 15:18:32 -0800 (PST)
Received: by mail-da0-f42.google.com with SMTP id z17so1692975dal.15 for <oauth@ietf.org>; Mon, 25 Feb 2013 15:18:32 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:content-type:mime-version:subject:from:in-reply-to:date :cc:message-id:references:to:x-mailer:x-gm-message-state; bh=G/IhSTdcyjgd4yJBzzCnn1JpPm0zu6VV0a+oQ2sDjL4=; b=UH7lYCmaGbdt0qoyszERt1GLvqSN9FcrR4xAAdqAoioAnuUnDDLCaw9ch6743BzWvU yGReD/B6tJnpYFgslq/hHaBlCx9X1PWLrZf+L/qR42ovDwknE0vev7tBmwVTLDAmX/Xb Y2+NJTvdqmG1aZx5CEBj0x/CVjEkh2nlFcQXFeL8+yJVkeqo+4ZrDR1P+9sjGEonIfCo jPFGAgD/ArMBjH+h8O6yJQyJW/Zao1z11aSz2g8MkaTEgxtsvl8zcv7xTqmrbfZjHaKS sKS3D9EXalyudzEnhZOxnni5gD6L7boN4CCNfX1CyA4br7Zkpf/3Wi2jaNFJjDfwnKH/ 6IFg==
X-Received: by 10.68.237.165 with SMTP id vd5mr20883678pbc.52.1361834311657; Mon, 25 Feb 2013 15:18:31 -0800 (PST)
Received: from [10.10.2.32] ([12.144.179.211]) by mx.google.com with ESMTPS id 1sm14131082pba.32.2013.02.25.15.18.28 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 25 Feb 2013 15:18:29 -0800 (PST)
Content-Type: multipart/signed; boundary="Apple-Mail=_413CF6BC-6713-4A55-8B56-68250B2605F3"; protocol="application/pkcs7-signature"; micalg="sha1"
Mime-Version: 1.0 (Mac OS X Mail 6.2 \(1499\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <B33BFB58CCC8BE4998958016839DE27E068A104F@IMCMBX01.MITRE.ORG>
Date: Mon, 25 Feb 2013 15:18:26 -0800
Message-Id: <F6BDBB59-8832-4C50-89E9-6844B83BD97E@ve7jtb.com>
References: <1361830944.13340.YahooMailNeo@web31812.mail.mud.yahoo.com> <E4A6D91D-2BC8-4F2E-9B1C-D1362A0E3608@oracle.com> <1361831644.50183.YahooMailNeo@web31801.mail.mud.yahoo.com> <1361832133.97884.YahooMailNeo@web31816.mail.mud.yahoo.com> <B33BFB58CCC8BE4998958016839DE27E068A104F@IMCMBX01.MITRE.ORG>
To: "Richer, Justin P." <jricher@mitre.org>
X-Mailer: Apple Mail (2.1499)
X-Gm-Message-State: ALoCoQnVwe5T3gaDgyF9IZMbjVSMKeVFw3cQ5J83tShNBSszWB5tf8NL/Pw8QDR+61BEbtGOB9hu
Cc: O Auth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] OAuth2 attack surface....
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Feb 2013 23:18:34 -0000

Agreed, though we can't assume that there won't be other browser bugs that can be exploited in similar ways. 

Facebook automatically adding there debug page to the redirect URI of every client was...

We need to reenforce care around redirect URI, Connect is much more restrictive than OAuth. 

I think client registering it's response types is a good idea,  I see it is already in the IETF registration spec.

John B.

On 2013-02-25, at 2:58 PM, "Richer, Justin P." <jricher@mitre.org> wrote:

> From my read, it's a combination of browser bugs (it only affects Chrome) and Facebook's insistence on using the Implicit flow for everything. 
> 
> While I don't at all care for the "sky is falling" rhetoric that seems to follow OAuth2, the author has some good suggestions for implementations: binding redirect URIs to particular flows, preference for the code flow, not using a default redirect_uri on a hosted domain with user-generated content.
> 
> But all of these are implementation issues that the OAuth2 protocol can't really address directly.
> 
> -- Justin
> 
> 
> On Feb 25, 2013, at 5:42 PM, William Mills <wmills_92105@yahoo.com> wrote:
> 
>> 
>> 
>> DOH!!!  http://homakov.blogspot.co.uk/2013/02/hacking-facebook-with-oauth2-and-chrome.html
>> 
>> From: Phil Hunt <phil.hunt@oracle.com>
>> To: William Mills <wmills_92105@yahoo.com> 
>> Sent: Monday, February 25, 2013 2:28 PM
>> Subject: Re: [OAUTH-WG] OAuth2 attack surface....
>> 
>> Whats the link?
>> 
>> Phil
>> 
>> Sent from my phone.
>> 
>> On 2013-02-25, at 14:22, William Mills <wmills_92105@yahoo.com> wrote:
>> 
>>> I think this is worth a read, I don't have time to dive into this :(
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>> 
>> 
>> 
>> 
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth