IETF Logo Mail Archive

Re: [OAUTH-WG] Phishing with Client Application Name Spoofing

André DeMarre <andredemarre@gmail.com> Wed, 10 May 2017 21:16 UTC

Return-Path: <andredemarre@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 38A1D127871 for <oauth@ietfa.amsl.com>; Wed, 10 May 2017 14:16:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.698
X-Spam-Level:
X-Spam-Status: No, score=-2.698 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id plB3QfT3gGvC for <oauth@ietfa.amsl.com>; Wed, 10 May 2017 14:15:59 -0700 (PDT)
Received: from mail-wm0-x22c.google.com (mail-wm0-x22c.google.com [IPv6:2a00:1450:400c:c09::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C4801128959 for <oauth@ietf.org>; Wed, 10 May 2017 14:15:58 -0700 (PDT)
Received: by mail-wm0-x22c.google.com with SMTP id b84so19142070wmh.0 for <oauth@ietf.org>; Wed, 10 May 2017 14:15:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=IwRHdgTN80OAuMqd0+jX49SAsfRccUrLvMMQ+/5m2ds=; b=UbSCLYJ4DrsN6O9LFfblZe4CWA2KWbrHxIEKPiCPJsYG8Z30URqM4yLoIYGJYntV/+ o5Rz6GWCWWVwfe2b+LVqeCiaJve5PhQFEMnucfy3cLN57P1RvN1V6U7NbGnV6poDXM3o 4P4mZu0NBqtEigdTEyKbTKuxvKSESN2fjHjH5JmKk3ld/oWGb48u0l5t61pvE4b27N09 WyDcr2iiUkm3mOaL1qG2Aql6Ho7YFioSIsVIa6C7sBiGg+AFCL9o7zhISL9j5veymNeg hDxhJ22v8uvYPpCe3JQRpchE72eb8uTJgXiZAIGr0PhXIKLrwwyqR0d7r7ZBiK2b7eEv f63g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=IwRHdgTN80OAuMqd0+jX49SAsfRccUrLvMMQ+/5m2ds=; b=PfrkiB4/1nBsJCht7WozqrnBLSZFZP7WgA7yWOqnMIsKTyeAUcTJcsBmECQ4shOt1Q tGBkuN0xbPjhyQjWjp0gCVf4VUUb7fm0vcUA26Cp4WZa3gKimtPpkAmgUV1L1JGmbGqm xAtdvIzm2i61hlk5gh2FIxnDMYJeV4ICFPXmNeNhgixP5YCgtw365Fo8VWrUhrhknW1C zmPOEFp5WCoucMaaAM2mSd5zmB5vl18OxR8G5EXQC5eGrbgWrRy66caqjVs7HorqSa8l Vx049mRPtJyV422az+T36pSduYczT6c/FAw/cTVZ+y0DCUs3lagjLIiry8+0B4V0e48K CxrQ==
X-Gm-Message-State: AODbwcB2yo8Uecfg/uZuB64a5YGV+cfJfCPbggFNtT2v2KNf6R9pAqon o+b3SbMvilHR6s2++6F9bMMvb1yVpA==
X-Received: by 10.80.182.174 with SMTP id d43mr5812366ede.56.1494450957085; Wed, 10 May 2017 14:15:57 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.80.146.221 with HTTP; Wed, 10 May 2017 14:15:56 -0700 (PDT)
In-Reply-To: <OF5C384B1A.F3404884-ON80257988.0041A466-80257988.00427E0B@ie.ibm.com>
References: <CAEwGkqDscS5ke4KmoVUF3nDjS-1b+SuT_hCb59+rCuokmhPOVQ@mail.gmail.com> <90C41DD21FB7C64BB94121FBBC2E723453A754C534@P3PW5EX1MB01.EX1.SECURESERVER.NET> <CAEwGkqDV8qdYPyHYNtBF-SXLGA0CDxOgbCszafhp4ejuVwuT_w@mail.gmail.com> <OF5C384B1A.F3404884-ON80257988.0041A466-80257988.00427E0B@ie.ibm.com>
From: André DeMarre <andredemarre@gmail.com>
Date: Wed, 10 May 2017 14:15:56 -0700
Message-ID: <CAEwGkqCjDf7EC6PSUEdwK_Y3hK_iayY0MU8R4XdZFEhFn-ebYA@mail.gmail.com>
To: OAuth WG <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="f403045c0bd66e73eb054f31fa6c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/A-O4OZeOpVOt1xH_it_p22-a87I>
Subject: Re: [OAUTH-WG] Phishing with Client Application Name Spoofing
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 May 2017 21:16:01 -0000

I see there is a new security considerations document being drafted. There
is an old issue that I've recently been reminded of.

Should text about phishing conducted through the authorization dialog be
added to the new security document? This kind of attack made headlines last
week with a widespread Gmail / Google Docs phishing worm (
https://security.googleblog.com/2017/05/protecting-you-against-phishing.html
).

Five years ago, I was encouraged to propose text about this for the Threat
Model and Security Considerations document, but I never did; sorry.
Original thread in the mail archive: https://www.ietf.org/mail-arch
ive/web/oauth/current/msg07625.html

This concerns both authorization dialog design and client registration, and
as far as I know it's not really covered in any published documents. I'm
not entirely sure what mitigations should be recommended, but I think
authorization server implementers need to be more cognizant of this attack.

Regards,
Andre DeMarre

On Tue, Jan 17, 2012 at 4:06 AM, Mark Mcgloin <mark.mcgloin@ie.ibm.com>
wrote:

> Andre
>
> Please feel free to propose text, perhaps with a better title than I
> suggested. During our discussion on section 4.1.4 (End-user credentials
> phished using compromised or  embedded browser), we have decided on the
> countermeasure below, albeit for a different threat - phishing client as
> opposed to client name spoofing. Your's can be a variant of this with
> different validation recommendations.
>
>
> 2. Client applications could be validated prior to publication in an
> application market for users to access. That validation is out of scope for
> OAuth but could include validating that the client application handles user
> authentication in an appropriate way
>
>
> Regards
> Mark
>
> André DeMarre <andredemarre@gmail.com> wrote on 16/01/2012 23:20:02:
>
> >
> > To:
> >
> > Eran Hammer <eran@hueniverse.com> 16/01/2012 23:22
> >
>
> >
> > Re: [OAUTH-WG] Phishing with Client Application Name Spoofing
> >
> > Eran,
> >
> > Yes; I think a section should be added to the security model doc.
> >
> > On 2011-12-16 Mark Mcgloin agreed and suggested we call it "Client
> > Registration of phishing clients":
> > http://www.ietf.org/mail-archive/web/oauth/current/msg08061.html
> >
> > I'm happy to propose the text; it might be one or two days though.
> >
> > Regards,
> > Andre DeMarre
> >
> > On Mon, Jan 16, 2012 at 10:30 AM, Eran Hammer <eran@hueniverse.com>
> wrote:
> > > Should this be added to the security model document? Is it already
> > addressed there?
> > >
> > > EHL
> > >
> > >> -----Original Message-----
> > >> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On
> Behalf
> > >> Of André DeMarre
> > >> Sent: Tuesday, October 04, 2011 11:33 AM
> > >> To: OAuth WG
> > >> Subject: [OAUTH-WG] Phishing with Client Application Name Spoofing
> > >>
> > >> I've not seen this particular variant of phishing and client
> impersonation
> > >> discussed. A cursory search revealed that most of the related
> discussion
> > >> centers around either (a) client impersonation with stolen client
> > credentials
> > >> or (b) phishing by malicious clients directing resource owners to
> spoofed
> > >> authorization servers. This is different.
> > >>
> > >> This attack exploits the trust a resource owner has for an OAuth
> > >> authorization server so as to lend repute to a malicious client
> > pretending to
> > >> be from a trustworthy source. This is not necessarily a direct
> > vulnerability of
> > >> OAuth; rather, it shows that authorization servers have a
> responsibility
> > >> regarding client application names and how they present resource
> owners
> > >> with the option to allow or deny authorization.
> > >>
> > >> A key to this exploit is the process of client registration with
> > the authorization
> > >> server. A malicious client developer registers his client
> > application with a
> > >> name that appears to represent a legitimate organization which
> resource
> > >> owners are likely to trust. Resource owners at the authorization
> endpoint
> > >> may be misled into granting authorization when they see the
> authorization
> > >> server asserting "<some trustworthy name> is requesting permission
> to..."
> > >>
> > >> Imagine someone registers a client application with an OAuth service,
> let's
> > >> call it Foobar, and he names his client app "Google, Inc.". The Foobar
> > >> authorization server will engage the user with "Google, Inc. is
> requesting
> > >> permission to do the following." The resource owner might reason, "I
> see
> > >> that I'm legitimately on the https://www.foobar.com site, and Foobar
> is
> > >> telling me that Google wants permission. I trust Foobar and Google, so
> I'll
> > >> click Allow."
> > >>
> > >> To make the masquerade act even more convincing, many of the most
> > >> popular OAuth services allow app developers to upload images which
> could
> > >> be official logos of the organizations they are posing as. Often app
> > >> developers can supply arbitrary, unconfirmed URIs which are shown to
> the
> > >> resource owner as the app's website, even if the domain does not match
> the
> > >> redirect URI. Some OAuth services blindly entrust client apps to
> customize
> > >> the authorization page in other ways.
> > >>
> > >> This is hard to defend against. Authorization server administrators
> could
> > >> police client names, but that approach gives them a burden similar to
> > >> certificate authorities to verify organizations before issuing
> > certificates. Very
> > >> expensive.
> > >>
> > >> A much simpler solution is for authorization servers to be
> > careful with their
> > >> wording and educate resource owners about the need for discretion when
> > >> granting authority. Foobar's message above could be
> > >> changed: "An application calling itself Google, Inc. is
> > requesting permission to
> > >> do the following" later adding, "Only allow this request if you
> > are sure of the
> > >> application's source." Such wording is less likely to give the
> > impression that
> > >> the resource server is vouching for the application's identity.
> > >>
> > >> Authorization servers would also do well to show the resource owner
> > >> additional information about the client application to help them make
> > >> informed decisions. For example, it could display all or part of the
> app's
> > >> redirect URI, saying, "The application is operating on
> > example.com" or "If you
> > >> decide to allow this application, your browser will be directed to
> > >> http://www.example.com/." Further, if the client app's redirect
> > URI uses TLS
> > >> (something authorization servers might choose to mandate), then auth
> > >> servers can verify the certificate and show the certified
> > organization name to
> > >> resource owners.
> > >>
> > >> This attack is possible with OAuth 1, but OAuth 2 makes successful
> > >> exploitation easier. OAuth 1 required the client to obtain temporary
> > >> credentials (aka access tokens) before sending resource owners to the
> > >> authorization endpoint. Now with OAuth 2, this attack does not require
> > >> resource owners to interact with the client application before
> visiting the
> > >> authorization server. The malicious client developer only needs
> > to distribute
> > >> links around the web to the authorization server's authorization
> > endpoint. If
> > >> the HTTP service is a social platform, the client app might
> > distribute links using
> > >> resource owners' accounts with the access tokens it has acquired,
> becoming
> > >> a sort of worm. Continuing the Google/Foobar example above, it might
> use
> > >> anchor text such as "I used Google Plus to synchronize with my Foobar
> > >> account." Moreover, if the app's redirect URI bounces the resource
> owner
> > >> back to the HTTP service after acquiring an authorization code,
> > the victim will
> > >> never see a page rendered at the insidious app's domain.
> > >>
> > >> This is especially dangerous because the public is not trained to
> defend
> > >> against it. Savvy users are (arguably) getting better at
> > protecting themselves
> > >> from traditional phishing by verifying the domain in the address bar,
> and
> > >> perhaps checking TLS certificates, but such defenses are irrelevent
> here.
> > >> Resource owners now need to verify not only that they are on the
> legitimate
> > >> authorization server, but to consider the trustworthyness of the link
> that
> > >> referred them there.
> > >>
> > >> I'm not sure what can or should be done, but I think it's important
> for
> > >> authorization server implementers to be aware of this attack. If
> > >> administrators are not able to authenticate client organizations,then
> they
> > >> are shifting this burden to resource owners. They should do all they
> can to
> > >> educate resource owners and help them make informed decisions before
> > >> granting authorization.
> > >>
> > >> Regards,
> > >> Andre DeMarre
> > >> _______________________________________________
> > >> OAuth mailing list
> > >> OAuth@ietf.org
> > >> https://www.ietf.org/mailman/listinfo/oauth
> >
>
>

v2.23.0 | Report a Bug | By Email