Re: [OAUTH-WG] Blackhat US: OAuth Talk
Antonio Sanso <asanso@adobe.com> Tue, 14 October 2014 09:54 UTC
Return-Path: <asanso@adobe.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D89C61A700A for <oauth@ietfa.amsl.com>; Tue, 14 Oct 2014 02:54:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cXP08c0QuRtX for <oauth@ietfa.amsl.com>; Tue, 14 Oct 2014 02:54:01 -0700 (PDT)
Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1on0693.outbound.protection.outlook.com [IPv6:2a01:111:f400:fc10::693]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C84EC1A7007 for <oauth@ietf.org>; Tue, 14 Oct 2014 02:54:00 -0700 (PDT)
Received: from CO1PR02MB206.namprd02.prod.outlook.com (10.242.165.144) by CO1PR02MB206.namprd02.prod.outlook.com (10.242.165.144) with Microsoft SMTP Server (TLS) id 15.0.1049.19; Tue, 14 Oct 2014 09:53:31 +0000
Received: from CO1PR02MB206.namprd02.prod.outlook.com ([169.254.8.15]) by CO1PR02MB206.namprd02.prod.outlook.com ([169.254.8.15]) with mapi id 15.00.1049.012; Tue, 14 Oct 2014 09:53:31 +0000
From: Antonio Sanso <asanso@adobe.com>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Thread-Topic: [OAUTH-WG] Blackhat US: OAuth Talk
Thread-Index: AQHP5wPGtIE0dTJwlk+gRWfn/A3/xZwvW+YA
Date: Tue, 14 Oct 2014 09:53:31 +0000
Message-ID: <26AB3ED9-1DC0-4F69-B98D-6EBCF3A159FD@adobe.com>
References: <543BFF34.1070307@gmx.net>
In-Reply-To: <543BFF34.1070307@gmx.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [193.104.215.11]
x-microsoft-antispam: BCL:0;PCL:0;RULEID:;SRVR:CO1PR02MB206;
x-exchange-antispam-report-test: UriScan:;
x-forefront-prvs: 03648EFF89
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(979002)(6009001)(189002)(51914003)(24454002)(51704005)(199003)(377454003)(99396003)(95666004)(21056001)(86362001)(31966008)(82746002)(83716003)(120916001)(99286002)(20776003)(92726001)(92566001)(106116001)(85306004)(107046002)(80022003)(76482002)(122556002)(46102003)(66066001)(85852003)(64706001)(110136001)(36756003)(77096002)(2656002)(19580395003)(97736003)(54356999)(19580405001)(76176999)(4396001)(15975445006)(33656002)(50986999)(105586002)(106356001)(101416001)(87936001)(40100003)(104396001)(969003)(989001)(999001)(1009001)(1019001); DIR:OUT; SFP:1101; SCL:1; SRVR:CO1PR02MB206; H:CO1PR02MB206.namprd02.prod.outlook.com; FPR:; MLV:ovrnspm; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
Content-Type: text/plain; charset="Windows-1252"
Content-ID: <05C9CD9A30C11B48A0EAD526BD2F3947@namprd02.prod.outlook.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: adobe.com
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/Blnprse2nqYIKNF33A8Rn2sGu_4
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Blackhat US: OAuth Talk
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Oct 2014 09:54:03 -0000
hi Hannes, thanks for the link. It is interesting. Said that I think the attack shown there are a bit “academic” and do not reflect the real life situation. Moreover it still mention the MAC flow when AFAIK the OAuth working group decided to deviate from it. IMHO the majority of real life attacks (and I can provide many many examples taken from blog posts of people that hacked big providers such Google,Facebook, Github etc) are actually targeting two things: - weak/incorrect validation of the redirect_uri parameter - leak of the access token . authorization code from the referrer just my 0.02 cents :) regards antonio On Oct 13, 2014, at 6:35 PM, Hannes Tschofenig <hannes.tschofenig@gmx.net> wrote: > During the OAuth conference call today I asked whether someone had > looked at this paper published at the recent Blackhat US conference and > nobody knew about it. > > Hence, I am posting it here: > > * Paper: > > https://www.blackhat.com/docs/us-14/materials/us-14-Hu-How-To-Leak-A100-Million-Node-Social-Graph-In-Just-One-Week-WP.pdf > > * Slides: > https://www.blackhat.com/docs/us-14/materials/us-14-Hu-How-To-Leak-A100-Million-Node-Social-Graph-In-Just-One-Week.pdf > > Ciao > Hannes > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Blackhat US: OAuth Talk Hannes Tschofenig
- Re: [OAUTH-WG] Blackhat US: OAuth Talk Adam Renberg
- Re: [OAUTH-WG] Blackhat US: OAuth Talk Antonio Sanso