Re: [OAUTH-WG] Same Origin Method Execution (SOME)

"Kim, William G" <> Tue, 07 July 2015 17:49 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 5FA121ACEFC for <>; Tue, 7 Jul 2015 10:49:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.754
X-Spam-Status: No, score=-1.754 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FRT_ADOBE2=2.455, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id gvVQsxpIEUoH for <>; Tue, 7 Jul 2015 10:49:01 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id B7AE01ACEFB for <>; Tue, 7 Jul 2015 10:49:01 -0700 (PDT)
Received: from (localhost.localdomain []) by localhost (Postfix) with SMTP id 51FD3B2E020; Tue, 7 Jul 2015 13:49:02 -0400 (EDT)
Received: from IMCCAS04.MITRE.ORG ( []) by (Postfix) with ESMTP id 378DF72E15D; Tue, 7 Jul 2015 13:49:02 -0400 (EDT)
Received: from imshyb01.MITRE.ORG ( by IMCCAS04.MITRE.ORG ( with Microsoft SMTP Server (TLS) id; Tue, 7 Jul 2015 13:49:00 -0400
Received: from imshyb02.MITRE.ORG ( by imshyb01.MITRE.ORG ( with Microsoft SMTP Server (TLS) id 15.0.1044.25; Tue, 7 Jul 2015 13:49:00 -0400
Received: from ( by imshyb02.MITRE.ORG ( with Microsoft SMTP Server (TLS) id 15.0.1044.25 via Frontend Transport; Tue, 7 Jul 2015 13:49:00 -0400
Received: from ( by ( with Microsoft SMTP Server (TLS) id; Tue, 7 Jul 2015 17:49:00 +0000
Received: from ( by ( with Microsoft SMTP Server (TLS) id; Tue, 7 Jul 2015 17:48:59 +0000
Received: from ([]) by ([]) with mapi id 15.01.0207.004; Tue, 7 Jul 2015 17:48:59 +0000
From: "Kim, William G" <>
To: Justin Richer <>, Nat Sakimura <>
Thread-Topic: [OAUTH-WG] Same Origin Method Execution (SOME)
Date: Tue, 7 Jul 2015 17:48:58 +0000
Message-ID: <>
References: <> <> <> <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
user-agent: Microsoft-MacOutlook/
authentication-results:; dkim=none (message not signed) header.d=none;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: []
x-microsoft-exchange-diagnostics: 1; BY2PR09MB0277; 5:tPuevez2BYPNLlq+H+Xkq75WVY3Vt8NU64ob6sONAdarccAcaym0+y3SzAQEGEiYQ4Vx6lfxr6yYGo7DrXbtYWx7reUwOzFuBhCGnhgszXeVgIYse2zMapIOpuj8pGRzN43yJnNZV6oZVRJY0tbapg==; 24:6jrf8ikXQUnQ4O0iP2019JcJ3UcfstOPfcvH+aT1y+Yrzsw3yNjwjbawGqO+hinsCroxgEB/zxJ6hzAZOWOCLDisW93YdcVNX+djctZ4M2k=; 20:0zLBAhDXXvwHm1iGDVd4/a+oR9/ErYBjkOLMhxXS76TcA9+B5CAkseXAw7ndyIT3SmEjLB7UNTrjQFqF4w3EZw==
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:; SRVR:BY2PR09MB0277; UriScan:; BCL:0; PCL:0; RULEID:; SRVR:BY2PR09MB0659;
by2pr09mb0277: X-MS-Exchange-Organization-RulesExecuted
x-microsoft-antispam-prvs: <>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(5005006)(3002001); SRVR:BY2PR09MB0277; BCL:0; PCL:0; RULEID:; SRVR:BY2PR09MB0277;
x-forefront-prvs: 0630013541
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(24454002)(243025005)(377424004)(377454003)(99286002)(4001350100001)(86362001)(106116001)(19617315012)(2656002)(93886004)(2171001)(16297215004)(87936001)(19580405001)(19580395003)(5001770100001)(16236675004)(54356999)(50986999)(102836002)(15975445007)(76176999)(77096005)(2950100001)(46102003)(2900100001)(1600100001)(83506001)(77156002)(40100003)(66066001)(5001920100001)(92566002)(189998001)(36756003)(122556002)(5002640100001)(5001960100002)(62966003); DIR:OUT; SFP:1101; SCL:1; SRVR:BY2PR09MB0277;; FPR:; SPF:None; MLV:sfv; LANG:en;
Content-Type: multipart/alternative; boundary="_000_D1C188FF8FADwkimmitreorg_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 07 Jul 2015 17:48:58.6229 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: c620dc48-1d50-4952-8b39-df4d54d74d82
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR09MB0277
X-Microsoft-Exchange-Diagnostics: 1; BY2PR09MB0659; 2:QPhDChqaPsGUH7zqzk765eyOBpg69plesoSZ52JVONzzKGDASk1jATEUEQxD8DrY; 3:kh9xwetwuHD4jfON7tdWuRho3q9X9JkBHSNQGedrX79kcKitTCG2MvVgZwj+5NCVU1TROt2LcIA6zKOjPpRKDNXa6dZZtktoZ5VOyRFDYcoAr0GDU3NbNpGfgJ1bNmETQL3ikvla5XDuUq/LRLiPxQ==; 25:JQ5/cJfvMDTuTz7o+NETt2709dkHIzDGGQU/gOTbUQGt9NY2CXERFechEOPAd5AO+A5/EUkS7vJ0ukcitL5+rSzSSf9Dtc8JhJbQRUr+yVgPPNbvgG4LCQYlqgfgLM9LSXsrpRw387nfzKQxox0O1fJR58lJQnQiXJjvW14XTYyC4QcaNLdhATIcwsAy7mXvO/NXDx51WbdqL4WzFQVYfseHYymeAmzAWn0DFQnK3DlMH/WWTcLp9Lul8E3XJ54zvOFJ0EOsRjCrYlT2wq6g/Q==; 20:IScTAC9rmssaUoktkdjaedqZ9jNVKW7dsIKnj3kj3UmCMxE+81V6KDyRocls/kawZRFd5qhI6ZLBY+xVl6i6+Q==; 23:kqU+GVjVPoRREggzxCJMHkhYDBB/iggUuC3vP5iKRJl2TgWadNeSkPeUHM35YT1KJB3A6ZzRB45xAVXUpdCDBUXC2QSzOEJd6e1vTiZc9ul4IDqESj3D53wTT+ItW309sH/txZZ88jydvG5ReOjmCSCBhOGLkwsnBa7U9z5czQB+EruDxFaPHC9qSsscJBW1w6dnoml4h4148zu4KPsF/MRnMFkwvKoeJErGHtYi7lT6JJzYO6i47NVaWrTdAcBu
Archived-At: <>
Cc: "<>" <>
Subject: Re: [OAUTH-WG] Same Origin Method Execution (SOME)
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 07 Jul 2015 17:49:04 -0000

Sorry to dig this back up but am I naive to wonder why anyone would even use JSONP. Sounds like the hackiest legitimate thing I've ever seen, and asking for trouble to use it.


From: Justin Richer <<>>
Date: Monday, June 29, 2015 at 11:36 AM
To: Nat Sakimura <<>>
Cc: "<<>>" <<>>
Subject: Re: [OAUTH-WG] Same Origin Method Execution (SOME)

Right, even though it’s not an OAuth problem, it’s a problem that is more likely to come up and cause damage in situations that OAuth brings about (the pop-up redirect page that Nat mentions). So, just like the advice to use the system browser on mobile platforms, I think it’d be good to have actual advice for developers so that they can avoid doing this.

 — Justin

On Jun 29, 2015, at 11:22 AM, Nat Sakimura <<>> wrote:


2015-06-30 0:22 GMT+09:00 Nat Sakimura <<>>:
Year, from my skimming of the paper, it requires a page that executes arbitrary callback function given as a parameter.
It is absolutely stupid to do it, but apparently there are such pages.
Prime candidate happens to be OAuth Redirection Endpoint.
By itself, it probably will not do much harm because you cannot do much things in that window itself,
but if the window is a pop-up and keeps a parent context, it will essentially be able to
remote control the parent window to do much more harm.

So, it is not OAuth problem per se.

However, it may be worthwhile to tell the developers to make sure that redirection endpoint
accepts only valid oauth payload, and do not execute anything in the parameter.


2015-06-25 19:48 GMT+09:00 Antonio Sanso <<>>:
hi John

On Jun 25, 2015, at 1:42 AM, John Bradley <<>> wrote:

Thanks for the info,

As I read it, this is an attack on Java Script callbacks.

The information tying it to OAuth is not clear.

Is the issue relating to JS people using the implicit flow and the JS loaded from the client somehow being vulnerable?

Or is this happening in the JS after authorization in calls to other resources from the same origin, and it is just coincidence that people are using OAuth.

is more the second one :) Extrapolating from the white paper [0]

"The most common technique tasked with ful lling
the above described need is OAuth. In order to gain access to third-party resources
using OAuth, the service shall utilize a third-party endpoint (OAuth dialog) that will
ask for the resource owner's approval. The problem with this process is that redirecting
the service to an OAuth dialog means losing the content of the currently open service
document. For overcoming this problem, developers open a pop-up window to display
the dialog in a singular browsing context. Once the user permits or denies access to
the service, the OAuth dialog pop-up will be redirected to render a callback endpoint
hosted on the service domain. This document should eventually notify the service that
the process has been completed.
For the new pop-up window to notify the service window upon approval, denial or for
it to transfer access tokens or similar data, developers may implement callback endpoints
that use a script referencing the "opener" window for executing a callback method of the
service. When developers also opted for providing the service with the decision on how
to "call it back" through a callback parameter, the entire domain becomes vulnerable to




Understanding if there is any Oauth specific advice to give would be helpful.   I see there are ways to prevent the SOME exploit.

John B.

On Jun 24, 2015, at 4:18 PM, Antonio Sanso <<>> wrote:

hi *, just sharing.

Not directly related to OAuth per se but it exploits several OAuth client endpoints due to some common developers pattern (concrete example in


OAuth mailing list<>

OAuth mailing list<>

Nat Sakimura (=nat)
Chairman, OpenID Foundation

Nat Sakimura (=nat)
Chairman, OpenID Foundation
OAuth mailing list<>