[OAUTH-WG] hijacking client's user account
mar adrian belen <maradrianbelen@gmail.com> Tue, 21 April 2015 00:55 UTC
Return-Path: <maradrianbelen@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7F3331B3625 for <oauth@ietfa.amsl.com>; Mon, 20 Apr 2015 17:55:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.7
X-Spam-Level: *
X-Spam-Status: No, score=1.7 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, J_CHICKENPOX_45=0.6, J_CHICKENPOX_56=0.6, J_CHICKENPOX_65=0.6, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jfFSaK2cHlvn for <oauth@ietfa.amsl.com>; Mon, 20 Apr 2015 17:55:26 -0700 (PDT)
Received: from mail-oi0-x230.google.com (mail-oi0-x230.google.com [IPv6:2607:f8b0:4003:c06::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3BCED1B3624 for <oauth@ietf.org>; Mon, 20 Apr 2015 17:55:26 -0700 (PDT)
Received: by oign205 with SMTP id n205so140498202oig.2 for <oauth@ietf.org>; Mon, 20 Apr 2015 17:55:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=1uOiqKJgtNS8ZDaymoKicKYcyPAV2cUEGev5JINvJEg=; b=tsavHBszQpR2U8uRKQyJa6SlOB9/ZRjRdOdH71Xp6+wek4R2OKfs5FCk6rCXMNs9Y+ W/yrRVyubTJx4zYDgwxQGGaceHXg74o5j86RRC7NqAPMZ58NfbKqUJMnIQAQuaTnUuvA xRtQJRDjhH76PtCi4HIu+yPfZ2zwAThspJF0lvVwYdavHgTclGzgGNuJT6qZP7Ow0vGD fsCLV+6epNUwjPL1mZwneog8Jponi44yamD7iYjabeR4wyMEPqEeYYfba/cVenOEXoAr AcF/geN/3dpl5/n+BybuF5CdcqZc4Lzkz9y+dYh0UYeJc4MRoA6CTfw3W9K6FqLEbmR3 6tdw==
MIME-Version: 1.0
X-Received: by 10.182.68.103 with SMTP id v7mr12015323obt.82.1429577725726; Mon, 20 Apr 2015 17:55:25 -0700 (PDT)
Received: by 10.76.98.136 with HTTP; Mon, 20 Apr 2015 17:55:25 -0700 (PDT)
Date: Tue, 21 Apr 2015 08:55:25 +0800
Message-ID: <CAAd3nNoprEPext8x6roS=pyHWaNVZJ4r_5mtFGch88q2=TqaPA@mail.gmail.com>
From: mar adrian belen <maradrianbelen@gmail.com>
To: oauth@ietf.org
Content-Type: multipart/alternative; boundary="e89a8fb1ef2c85549305143180de"
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/8zqsjsDyxhF-BXTYegTA3gBxpGk>
X-Mailman-Approved-At: Wed, 22 Apr 2015 07:28:34 -0700
Subject: [OAUTH-WG] hijacking client's user account
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Apr 2015 00:59:37 -0000
Some web application are using oauth 2 technology as login alternative , i found a way how can i access client application using unverified email(victim email) on oauth oauth provider, if oauth provider allows unverified email to use it's oauth service which can abuse by the attacker, this is possible if the client provider directly login the user(using oauth) if his email is already exists on they record. * user joe has account on CLIENT A using his email address victimjoe@test.com, but does not have oauth provider account. attacker knows that. * now the attacker create a new oauth provider account using victimjoe@test.com. * because an unverified email can used the oauth provider oauth and the CLIENT A is using oauth provider's oauth as an alternative login, the attacker can now access victim's Client Application(CLIENT A) account using the login alternative function. you can try github(oauth provider) and https://sprint.ly/ (client) https://www.dropbox.com/s/jhrgn311i0e28pc/hijackoauthclient_x264.mp4?dl=0
- [OAUTH-WG] hijacking client's user account mar adrian belen
- Re: [OAUTH-WG] hijacking client's user account Justin Richer
- Re: [OAUTH-WG] hijacking client's user account Thomas Broyer
- Re: [OAUTH-WG] hijacking client's user account Nat Sakimura