[OAUTH-WG] Same Origin Method Execution (SOME)

Antonio Sanso <asanso@adobe.com> Wed, 24 June 2015 19:18 UTC

Return-Path: <asanso@adobe.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 945151B2CEC for <oauth@ietfa.amsl.com>; Wed, 24 Jun 2015 12:18:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZeCfBPTV3wG1 for <oauth@ietfa.amsl.com>; Wed, 24 Jun 2015 12:18:32 -0700 (PDT)
Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2on0073.outbound.protection.outlook.com [65.55.169.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8DA281B2CEB for <oauth@ietf.org>; Wed, 24 Jun 2015 12:18:32 -0700 (PDT)
Received: from BY1PR0201MB1030.namprd02.prod.outlook.com (10.161.203.148) by BY1PR0201MB1029.namprd02.prod.outlook.com (10.161.203.147) with Microsoft SMTP Server (TLS) id 15.1.201.16; Wed, 24 Jun 2015 19:18:30 +0000
Received: from BY1PR0201MB1030.namprd02.prod.outlook.com ([10.161.203.148]) by BY1PR0201MB1030.namprd02.prod.outlook.com ([10.161.203.148]) with mapi id 15.01.0201.000; Wed, 24 Jun 2015 19:18:30 +0000
From: Antonio Sanso <asanso@adobe.com>
To: OAuth WG <oauth@ietf.org>
Thread-Topic: Same Origin Method Execution (SOME)
Thread-Index: AQHQrrKNUGqwK9xwKk+RnZEBcYFkaQ==
Date: Wed, 24 Jun 2015 19:18:29 +0000
Message-ID: <B1C45938-9B95-4059-8235-0745216DFF60@adobe.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [2a02:1205:5057:bb70:f443:7dd6:ebb:c57]
x-microsoft-exchange-diagnostics: 1; BY1PR0201MB1029; 5:jc0NRzt8cyiuI7zThfZDcCqsMSkq1vY1P3ls1CgdAC/D3CDF0CjbZ34wxAd3eu7kcaYVZoKfjXELow9SvWAmjsMerA2UhsqeH5zin1F2MHa2aL6Uh2ewDpdTb6J0SQRYacAcqdz2ljbPxb1P//lDeQ==; 24:Mck85iC9hVcnaznKQtFfWm4AgHlfXX/rLncPfMlHaeSR2PRiwabtHRssGGGIi5VuAKrAkFG0ArO0JU3KnLfz6hLEgf/zOAEQc/HCTIcoI2A=; 20:ctd9XgVs1fd81c+PKUi4Xz94Wee02afhdn2KXUZXpXIiasf9WwwQ/ZWFgdxkmRqYL9du5OugVE0Ow73oDh2HMQ==
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BY1PR0201MB1029;
x-microsoft-antispam-prvs: <BY1PR0201MB1029F5A9CFC7E2DFD41EDC3FD9AF0@BY1PR0201MB1029.namprd02.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(5005006)(3002001); SRVR:BY1PR0201MB1029; BCL:0; PCL:0; RULEID:; SRVR:BY1PR0201MB1029;
x-forefront-prvs: 061725F016
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(6009001)(19580395003)(46102003)(87936001)(2656002)(122556002)(40100003)(82746002)(92566002)(229853001)(83716003)(62966003)(86362001)(33656002)(99286002)(106116001)(54356999)(50986999)(107886002)(5001960100002)(2900100001)(110136002)(77156002)(5002640100001)(450100001)(189998001)(36756003)(77096005)(102836002)(15975445007)(1600100001)(3826002)(104396002); DIR:OUT; SFP:1101; SCL:1; SRVR:BY1PR0201MB1029; H:BY1PR0201MB1030.namprd02.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
Content-Type: text/plain; charset="us-ascii"
Content-ID: <00D1248FE2503742A589B4EA02210F9C@namprd02.prod.outlook.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: adobe.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 24 Jun 2015 19:18:29.5218 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: fa7b1b5a-7b34-4387-94ae-d2c178decee1
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY1PR0201MB1029
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/JMROiroOK1pL5vdn3OQjrvKSOBY>
Subject: [OAUTH-WG] Same Origin Method Execution (SOME)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Jun 2015 19:18:34 -0000

hi *, just sharing.

Not directly related to OAuth per se but it exploits several OAuth client endpoints due to some common developers pattern http://www.benhayak.com/2015/06/same-origin-method-execution-some.html (concrete example in http://www.benhayak.com/2015/05/stealing-private-photo-albums-from-Google.html)

regards

antonio