Re: [OAUTH-WG] Recap of two well known OAuth related attacks
Lewis Adam-CAL022 <Adam.Lewis@motorolasolutions.com> Fri, 17 May 2013 15:23 UTC
Return-Path: <Adam.Lewis@motorolasolutions.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4B44121F96B2 for <oauth@ietfa.amsl.com>; Fri, 17 May 2013 08:23:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.988
X-Spam-Level: **
X-Spam-Status: No, score=2.988 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FRT_ADOBE2=2.455, UNRESOLVED_TEMPLATE=3.132]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j83KgyDMGd6B for <oauth@ietfa.amsl.com>; Fri, 17 May 2013 08:23:16 -0700 (PDT)
Received: from db8outboundpool.messaging.microsoft.com (mail-db8lp0187.outbound.messaging.microsoft.com [213.199.154.187]) by ietfa.amsl.com (Postfix) with ESMTP id 6213B21F969C for <oauth@ietf.org>; Fri, 17 May 2013 08:23:15 -0700 (PDT)
Received: from mail24-db8-R.bigfish.com (10.174.8.237) by DB8EHSOBE007.bigfish.com (10.174.4.70) with Microsoft SMTP Server id 14.1.225.23; Fri, 17 May 2013 15:23:08 +0000
Received: from mail24-db8 (localhost [127.0.0.1]) by mail24-db8-R.bigfish.com (Postfix) with ESMTP id 8A0129402BF for <oauth@ietf.org>; Fri, 17 May 2013 15:23:08 +0000 (UTC)
X-Forefront-Antispam-Report: CIP:129.188.136.17; KIP:(null); UIP:(null); IPV:NLI; H:il06msg01.mot-solutions.com; RD:none; EFVD:NLI
X-SpamScore: -25
X-BigFish: VPS-25(zz98dI9371I146fI542I1432Izz1f42h1ee6h1de0h1fdah1202h1e76h1d1ah1d2ah1fc6hzz1033IL17326ah8275bh8275dhz2fh2a8h683h839h944hd25hf0ah1220h1288h12a5h12a9h12bdh137ah13b6h1441h1504h1537h153bh15d0h162dh1631h1758h18e1h1946h19b5h19ceh1ad9h1b0ah1d07h1d0ch1d2eh1d3fh1155h)
Received-SPF: pass (mail24-db8: domain of motorolasolutions.com designates 129.188.136.17 as permitted sender) client-ip=129.188.136.17; envelope-from=Adam.Lewis@motorolasolutions.com; helo=il06msg01.mot-solutions.com ; olutions.com ;
X-Forefront-Antispam-Report-Untrusted: CIP:157.56.237.133; KIP:(null); UIP:(null); (null); H:BY2PRD0411HT005.namprd04.prod.outlook.com; R:internal; EFV:INT
Received: from mail24-db8 (localhost.localdomain [127.0.0.1]) by mail24-db8 (MessageSwitch) id 1368804186560117_11011; Fri, 17 May 2013 15:23:06 +0000 (UTC)
Received: from DB8EHSMHS019.bigfish.com (unknown [10.174.8.247]) by mail24-db8.bigfish.com (Postfix) with ESMTP id 7B2555E0049 for <oauth@ietf.org>; Fri, 17 May 2013 15:23:06 +0000 (UTC)
Received: from il06msg01.mot-solutions.com (129.188.136.17) by DB8EHSMHS019.bigfish.com (10.174.4.29) with Microsoft SMTP Server (TLS) id 14.1.225.23; Fri, 17 May 2013 15:23:01 +0000
Received: from il06msg01.mot-solutions.com (il06vts02.mot.com [129.188.137.142]) by il06msg01.mot-solutions.com (8.14.3/8.14.3) with ESMTP id r4HFMxFL020988 for <oauth@ietf.org>; Fri, 17 May 2013 10:22:59 -0500 (CDT)
Received: from ch1outboundpool.messaging.microsoft.com (ch1ehsobe006.messaging.microsoft.com [216.32.181.186]) by il06msg01.mot-solutions.com (8.14.3/8.14.3) with ESMTP id r4HFMxoh020984 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL) for <oauth@ietf.org>; Fri, 17 May 2013 10:22:59 -0500 (CDT)
Received: from mail108-ch1-R.bigfish.com (10.43.68.251) by CH1EHSOBE014.bigfish.com (10.43.70.64) with Microsoft SMTP Server id 14.1.225.23; Fri, 17 May 2013 15:22:59 +0000
Received: from mail108-ch1 (localhost [127.0.0.1]) by mail108-ch1-R.bigfish.com (Postfix) with ESMTP id 660C1300742 for <oauth@ietf.org.FOPE.CONNECTOR.OVERRIDE>; Fri, 17 May 2013 15:22:59 +0000 (UTC)
Received: from mail108-ch1 (localhost.localdomain [127.0.0.1]) by mail108-ch1 (MessageSwitch) id 1368804177925973_16672; Fri, 17 May 2013 15:22:57 +0000 (UTC)
Received: from CH1EHSMHS024.bigfish.com (snatpool2.int.messaging.microsoft.com [10.43.68.234]) by mail108-ch1.bigfish.com (Postfix) with ESMTP id D46A81600A9; Fri, 17 May 2013 15:22:57 +0000 (UTC)
Received: from BY2PRD0411HT005.namprd04.prod.outlook.com (157.56.237.133) by CH1EHSMHS024.bigfish.com (10.43.70.24) with Microsoft SMTP Server (TLS) id 14.1.225.23; Fri, 17 May 2013 15:22:54 +0000
Received: from BY2PRD0411MB441.namprd04.prod.outlook.com ([169.254.5.94]) by BY2PRD0411HT005.namprd04.prod.outlook.com ([10.255.128.40]) with mapi id 14.16.0311.000; Fri, 17 May 2013 15:22:48 +0000
From: Lewis Adam-CAL022 <Adam.Lewis@motorolasolutions.com>
To: "Richer, Justin P." <jricher@mitre.org>, Antonio Sanso <asanso@adobe.com>
Thread-Topic: [OAUTH-WG] Recap of two well known OAuth related attacks
Thread-Index: Ac5P7Kgk2IO6JLdIQgSAEFhZyghq+gB3rYAAAFGUJ2A=
Date: Fri, 17 May 2013 15:22:47 +0000
Message-ID: <59E470B10C4630419ED717AC79FCF9A96599A278@BY2PRD0411MB441.namprd04.prod.outlook.com>
References: <DC65FEE5-9CA0-45CF-B44B-912F0474C4DB@adobe.com> <2AF08A9B-0E0A-42E1-9575-E582065D66D8@mitre.org>
In-Reply-To: <2AF08A9B-0E0A-42E1-9575-E582065D66D8@mitre.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [150.130.156.38]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
X-FOPE-CONNECTOR: Id%1294$Dn%MITRE.ORG$RO%2$TLS%3$FQDN%msgate.mot-solutions.com$TlsDn%
X-FOPE-CONNECTOR: Id%1294$Dn%ADOBE.COM$RO%2$TLS%3$FQDN%msgate.mot-solutions.com$TlsDn%
X-FOPE-CONNECTOR: Id%1294$Dn%IETF.ORG$RO%2$TLS%3$FQDN%msgate.mot-solutions.com$TlsDn%
X-CFilter-Loop: Reflected
X-OriginatorOrg: motorolasolutions.com
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Recap of two well known OAuth related attacks
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 May 2013 15:23:21 -0000
One wonders that - if in hindsight - the implicit flow was a mistake to include in the framework. Yes it saves a single round trip for use cases where the tokens are exposed to the UA, but it's not clear that optimization is worth the security headaches that are going to be caused down the road (or are already going on for that matter) by people using it in scenarios where it should not be (because as stated, it is easier). Probably would have been better to let the subset of cases that didn't need the extra step of the code just go ahead and implement it anyway, and ensure that the majority of native apps use cases would have been implemented with better security. adam -----Original Message----- From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of Richer, Justin P. Sent: Wednesday, May 15, 2013 3:22 PM To: Antonio Sanso Cc: "WG <oauth@ietf.org>"@il06exr01.mot.com Subject: Re: [OAUTH-WG] Recap of two well known OAuth related attacks The biggest problem with this attack is the passing of the access token to a backend server (and its subsequent passing of that token to someone else) and the assumption that the presentation of the access token means that the user is authenticated and present. It simply doesn't mean that, and this is a bad assumption that unfortunately many people make thanks to providers like Facebook using OAuth (or, mostly-OAuth since they're not actually RFC compliant) in the authentication protocol. It's also a problem that so many people are using the implicit flow "because it's easy", missing the point of why it's there in the first place. The implicit flow is really only intended for cases where you can't hide secrets from the user agent, cases like an in-browser application. The flow diagrams that you have don't fit the implicit flow very well at all, since the access token is getting passed back to some other service. -- Justin On May 13, 2013, at 11:14 AM, Antonio Sanso <asanso@adobe.com> wrote: > Hi *, > > I wrote a blog post showing two well known OAuth related attacks. I paste here the link for your consideration: > > http://intothesymmetry.blogspot.ch/2013/05/oauth-2-attacks-introducing-devil-wears.html > > Any comment is more than appreciated. > > Regards > > Antonio > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Recap of two well known OAuth related … Antonio Sanso
- Re: [OAUTH-WG] Recap of two well known OAuth rela… Richer, Justin P.
- Re: [OAUTH-WG] Recap of two well known OAuth rela… Lewis Adam-CAL022
- Re: [OAUTH-WG] Recap of two well known OAuth rela… John Bradley
- Re: [OAUTH-WG] Recap of two well known OAuth rela… Antonio Sanso
- Re: [OAUTH-WG] Recap of two well known OAuth rela… John Bradley