Re: [OAUTH-WG] XARA vulnerability Paper and PKCE
Nat Sakimura <sakimura@gmail.com> Thu, 18 June 2015 15:25 UTC
Return-Path: <sakimura@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AE85B1B32AB for <oauth@ietfa.amsl.com>; Thu, 18 Jun 2015 08:25:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eNS-2d3siuHw for <oauth@ietfa.amsl.com>; Thu, 18 Jun 2015 08:25:23 -0700 (PDT)
Received: from mail-oi0-x22d.google.com (mail-oi0-x22d.google.com [IPv6:2607:f8b0:4003:c06::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B5D611B32A9 for <oauth@ietf.org>; Thu, 18 Jun 2015 08:25:23 -0700 (PDT)
Received: by oiyy130 with SMTP id y130so42863604oiy.0 for <oauth@ietf.org>; Thu, 18 Jun 2015 08:25:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=0LaeH2qHVDml3KTXX1OJq5fIN5nl1Hft3Rg40YcbwDo=; b=yVyFgDYCmkkx0NWNPRNrMtNIoqn4NP4HuxmNqZc4W3PMtLdIPK87BYwwbGoUymqBq8 vHLiAQoownfFxDP2qt0pXKhkZO/njuTTAIkRv2qXDgMi0aInxxeNB4abOXUqJPWsiP+M gOPzVMA8ZG5hV5N+FIjuqDfqYRkwzgKGwn6VD3s4L9mC535xz8b9vCzPPak+vin8JrSP LkCnc87Aqr6AY0fh/OLk4OKZKzC2Cwff9f8T2AGXzBqrpOi0aO8oZaO73TPgEl/gU+J5 9TwjhgwdFqyHXQ03oq84RkPXYbRUqq22wEMjIdlf2TTqceZauH/jQNiO2OPKDJOAjHW1 iOOw==
MIME-Version: 1.0
X-Received: by 10.60.74.34 with SMTP id q2mr9613501oev.68.1434641123240; Thu, 18 Jun 2015 08:25:23 -0700 (PDT)
Received: by 10.60.164.97 with HTTP; Thu, 18 Jun 2015 08:25:23 -0700 (PDT)
In-Reply-To: <95102368.1461467.1434638847014.JavaMail.yahoo@mail.yahoo.com>
References: <CABzCy2Dj3O6vqozkhj=cFQ4QUisNQjAa9zQbEccwOrvsXZjRdQ@mail.gmail.com> <95102368.1461467.1434638847014.JavaMail.yahoo@mail.yahoo.com>
Date: Fri, 19 Jun 2015 00:25:23 +0900
Message-ID: <CABzCy2BiRpBfVCbcezx6AOHApNPqMG=xEwVnfieqBKoufjkhbA@mail.gmail.com>
From: Nat Sakimura <sakimura@gmail.com>
To: Bill Mills <wmills_92105@yahoo.com>
Content-Type: multipart/alternative; boundary="001a1135fc5a87f2af0518cc6a90"
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/CMuSN9induD83jjL7szYIEj_8yI>
Cc: oauth <oauth@ietf.org>
Subject: Re: [OAUTH-WG] XARA vulnerability Paper and PKCE
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Jun 2015 15:25:25 -0000
Yup. Obviously, PKCE is for Code Flow and do not deal with Implicit flow. The best bet probably is stop using Implicit flow for passing tokens around among apps, unless token is capable of being sender confirmed. Nat 2015-06-18 23:47 GMT+09:00 Bill Mills <wmills_92105@yahoo.com>: > PKCE solves a subset of this, but not the general case. It doesn't solve > the FB example in the paper where the FB token is passed between apps > locally. > > It is a clear win for the OAuth code flow for example though. > > > > On Thursday, June 18, 2015 7:31 AM, Nat Sakimura <sakimura@gmail.com> > wrote: > > > Hi OAuthers: > > XARA (Cross App Resource Access) paper was gaining interest here in Japan > today because of the Register article[1]. > I went over the attack description in the full paper [2]. > The paper presents four kinds of vulnerabilities. > > 1. Password Stealing (Keychain) > 2. Container Cracking (BundleID check bug on the part of Apple App > Store) > 3. IPC Interception (a. WebSocket non-authentication, and b. local > oauth redirect) > 4. Scheme Hijacking > > Of those, 3.b and 4 are relevant to us, and we kind of knew them all the > way through. > These are the target attack that PKCE specifically wants to address, and > does address, I believe. > > > [1] > http://www.theregister.co.uk/2015/06/17/apple_hosed_boffins_drop_0day_mac_ios_research_blitzkrieg/ > [2] https://sites.google.com/site/xaraflaws/ > > > > > -- > Nat Sakimura (=nat) > Chairman, OpenID Foundation > http://nat.sakimura.org/ > @_nat_en > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > -- Nat Sakimura (=nat) Chairman, OpenID Foundation http://nat.sakimura.org/ @_nat_en
- [OAUTH-WG] XARA vulnerability Paper and PKCE Nat Sakimura
- Re: [OAUTH-WG] XARA vulnerability Paper and PKCE Bill Mills
- Re: [OAUTH-WG] XARA vulnerability Paper and PKCE Nat Sakimura
- Re: [OAUTH-WG] XARA vulnerability Paper and PKCE John Bradley
- Re: [OAUTH-WG] XARA vulnerability Paper and PKCE Bill Mills