IETF Logo Mail Archive

[OAUTH-WG] A Scope Attack against OAuth 2.0

Wenjie Lin <lin.820@osu.edu> Sat, 18 February 2012 02:07 UTC

Return-Path: <wenjielin.bupt@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EC3CD11E80C5 for <oauth@ietfa.amsl.com>; Fri, 17 Feb 2012 18:07:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.117
X-Spam-Level:
X-Spam-Status: No, score=-1.117 tagged_above=-999 required=5 tests=[BAYES_20=-0.74, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wMkWbU9JuWKh for <oauth@ietfa.amsl.com>; Fri, 17 Feb 2012 18:07:37 -0800 (PST)
Received: from mail-iy0-f172.google.com (mail-iy0-f172.google.com [209.85.210.172]) by ietfa.amsl.com (Postfix) with ESMTP id A32CE11E80B7 for <oauth@ietf.org>; Fri, 17 Feb 2012 18:07:37 -0800 (PST)
Received: by iagf6 with SMTP id f6so6200188iag.31 for <oauth@ietf.org>; Fri, 17 Feb 2012 18:07:37 -0800 (PST)
Received-SPF: pass (google.com: domain of wenjielin.bupt@gmail.com designates 10.50.34.164 as permitted sender) client-ip=10.50.34.164;
Authentication-Results: mr.google.com; spf=pass (google.com: domain of wenjielin.bupt@gmail.com designates 10.50.34.164 as permitted sender) smtp.mail=wenjielin.bupt@gmail.com; dkim=pass header.i=wenjielin.bupt@gmail.com
Received: from mr.google.com ([10.50.34.164]) by 10.50.34.164 with SMTP id a4mr439613igj.14.1329530857399 (num_hops = 1); Fri, 17 Feb 2012 18:07:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:sender:from:date:x-google-sender-auth:message-id :subject:to:content-type; bh=H/50Oda3YVDjvpz6dHdsOBV7Sf5f39qRmEtraN6xGjk=; b=ev7RI0BbnCPAzKDsdNP5NNGz0YPXJSd0uxz0utMdjUebpnoCh+WYN++mVoHc9IeP/n F4gNNAZmtlSp7tng/hHJlFpCCFxOFbGjlCHFvCXbkGxvwnq1eVfBM0EloPX4RRFhZLP0 XEDYonn0G25QaZBC+fSWQdP2pk9kFiNKdvIz0=
Received: by 10.50.34.164 with SMTP id a4mr361887igj.14.1329530857328; Fri, 17 Feb 2012 18:07:37 -0800 (PST)
MIME-Version: 1.0
Sender: wenjielin.bupt@gmail.com
Received: by 10.42.139.138 with HTTP; Fri, 17 Feb 2012 18:07:17 -0800 (PST)
From: Wenjie Lin <lin.820@osu.edu>
Date: Fri, 17 Feb 2012 18:07:17 -0800
X-Google-Sender-Auth: kLkN58LzsmISi4Gz49ehvBPDBYo
Message-ID: <CAGmQQ9eorSS8jWgHZzw_Bq6Eb4Qj+fZ0NUuQx_KJwC_rasUCnA@mail.gmail.com>
To: oauth@ietf.org
Content-Type: multipart/alternative; boundary="14dae934050f78105c04b9338619"
Subject: [OAUTH-WG] A Scope Attack against OAuth 2.0
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 18 Feb 2012 02:07:39 -0000

We describe an attack on OAuth 2.0 (draft-ietf-oauth-v2-23), called *scope
attack*, provide a live-demo of the attack on Facebook, and propose a fix
with discussions.



*Scope Attack*

OAuth authorization of services is associated with service agreement scope.
For instance, Client provides an online game to User with a service
agreement scope* A:* *User authorizes Client to access his profile
information and to post messages on his behalf*. A malicious User can
request for online game with service agreement scope* A*, manipulate the
scope field, and change it to scope* B*: *User authorizes Client to access
his profile information*. User can still play the games,  yet Client can’t
post messages on User’s behalf, as originally agreed.

OAuth 2.0 authorization code grant and implicit grant are vulnerable to the
scope attack.



*A Scope Attack Scenario*

(1) Authorization Server: Facebook (authorization code grant)

(2) Client: Online gaming company Game. It allows User to play the games
with the service agreement scope* A: User authorizes Game to access his
profile information and post messages on his behalf*.

(3) User: malicious User with an account at Facebook. He attempts to play
the games yet without authorizing Game to post messages on his behalf, that
is, he changes the scope from *A* to *B: authorization of Client to access
his profile information *only.



*Attack Workflow*

(1) User requests Game (Client) for permission to play games, instantiating
OAuth 2.0 with scope* A*.

(2) Game generates an authorization request with a scope specification *A*,
and redirects User to Facebook with the request.

(3) User manipulates the scope field and changes it to scope* B*. The
modified request is then sent to Facebook.

(4) User grants the modified request.

(5) Facebook redirects User back to Game with the authorization code.

(6) Game exchanges the authorization code for an access token. However it
has no knowledge that the scope* A* has been changed to scope* B*.

(7) Game provides online gaming service to User. However, Game can’t post
messages on User’s Facebook page.



*A Live-Demo: Facebook and CastleVille* (IE and Safari tested)

Step 1: Login Facebook and visit Facebook Apps and Game page

https://www.facebook.com/games

Step 2: Click CastleVille.

Step 3: When you see the Request for Permission page, instead of

clicking “Allow”, change the scope field in the URL from your browser
from  “scope=email%2Cpublish_stream%2Cpublish_actions”
to “scope=email%2Cpublish_stream”.

Step 4: After the modification, press ENTER to send the modified

request to Facebook. Now you will see the modified Request of Permission
page.

Step 5: Click on “Allow” button and enjoy the game.

(video: http://www.youtube.com/watch?v=zkmjLa3VU9w)



*Impact*

Client provides services to malicious User yet with the modified service
agreement scope by User’s design.



*Manipulating Scope Field*

The scope field in access token response is required ONLY IF Authorization
Server observes that the User authorized scope is different than the
original scope. Consequently, User can manipulate the scope field so that
Authorization Server cannot detect the change of the scope. As a result
Client provides the services yet can’t obtain the information that is
specified in the scope of the original service agreement.

* *Client can verify the service agreement scope by checking all the fields
against the original User request before providing the requested services
to User.  For instance, Client can verify the granted permissions if
Authorization Server (e.g. Facebook)  provides an API. However, this is out
of the scope of OAuth 2.0, and Client may not check it. We observe: all top
five games recommended by Facebook are vulnerable to the scope attack.



*Proposed Fix*

Draft-ietf-oauth-v2-23 Section 5.1:

*Change from*

“scope

         OPTIONAL, if identical to the scope requested by the client,

         otherwise REQUIRED.”

*to *

“scope REQUIRED” /* scope: User authorized scope */



*Remarks*

(1) The proof of the correctness of OAuth with our proposed fix will be
published in an article: “*OAuth 2.0 – Attacks, Fixes, Correctness, and
Generalizations*, Wenjie Lin, David Lee and Steve Lai, to appear”.**

(2) The implicit grant is also vulnerable to the scope attack. However it
cannot be fixed by enforcing scope field in access token response as above;
User can change the scope in response before being redirected to Client.**

* *

Wenjie Lin, The Ohio State University

David Lee, HP Labs and The Ohio State University

Steve Lai, The Ohio State University

v2.23.0 | Report a Bug | By Email