IETF Logo Mail Archive

Re: [OAUTH-WG] A Scope Attack against OAuth 2.0

Nicholas Devenish <misnomer@gmail.com> Fri, 24 February 2012 01:12 UTC

Return-Path: <misnomer@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C7E5911E808A for <oauth@ietfa.amsl.com>; Thu, 23 Feb 2012 17:12:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1W3ojnDwlYip for <oauth@ietfa.amsl.com>; Thu, 23 Feb 2012 17:12:32 -0800 (PST)
Received: from mail-ww0-f44.google.com (mail-ww0-f44.google.com [74.125.82.44]) by ietfa.amsl.com (Postfix) with ESMTP id D43BD11E80A2 for <oauth@ietf.org>; Thu, 23 Feb 2012 17:12:30 -0800 (PST)
Received: by wgbdt10 with SMTP id dt10so1152185wgb.13 for <oauth@ietf.org>; Thu, 23 Feb 2012 17:12:30 -0800 (PST)
Received-SPF: pass (google.com: domain of misnomer@gmail.com designates 10.180.101.72 as permitted sender) client-ip=10.180.101.72;
Authentication-Results: mr.google.com; spf=pass (google.com: domain of misnomer@gmail.com designates 10.180.101.72 as permitted sender) smtp.mail=misnomer@gmail.com; dkim=pass header.i=misnomer@gmail.com
Received: from mr.google.com ([10.180.101.72]) by 10.180.101.72 with SMTP id fe8mr241990wib.4.1330045950100 (num_hops = 1); Thu, 23 Feb 2012 17:12:30 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=subject:mime-version:content-type:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to:x-mailer; bh=6fX/Fe7Ymra65zDE9nFlzTMyHFLiu9yDm+9vEqwlMGI=; b=nrFt5/Nl2TFhurRC9Yu8Np+ExHdyczvixQBSoXkRACIGKKt38BkAdJ5kzgR3dgFwok QYWEcTsdwYdGFNZ64UNncwlvlP1Uwa+qxnSHymgVH5Ss4Z2AJcNrRnBTbdz0V56920Z1 Szk09YGu7YjEjQ6QUyVP+1lxTLPuBM8CSXea8=
Received: by 10.180.101.72 with SMTP id fe8mr199905wib.4.1330045950032; Thu, 23 Feb 2012 17:12:30 -0800 (PST)
Received: from [192.168.0.2] (94-193-236-71.zone7.bethere.co.uk. [94.193.236.71]) by mx.google.com with ESMTPS id s8sm234309wiz.8.2012.02.23.17.12.26 (version=TLSv1/SSLv3 cipher=OTHER); Thu, 23 Feb 2012 17:12:27 -0800 (PST)
Mime-Version: 1.0 (Apple Message framework v1257)
Content-Type: text/plain; charset="windows-1252"
From: Nicholas Devenish <misnomer@gmail.com>
In-Reply-To: <CAGmQQ9exFKLCC3nbabgcoDhhfQxfDUcwydORbTtqh7v=tzwW5g@mail.gmail.com>
Date: Fri, 24 Feb 2012 01:12:24 +0000
Content-Transfer-Encoding: quoted-printable
Message-Id: <1CA65248-D1AE-415D-85CD-E0E116D84A4B@gmail.com>
References: <CAGmQQ9eorSS8jWgHZzw_Bq6Eb4Qj+fZ0NUuQx_KJwC_rasUCnA@mail.gmail.com> <OF7789D618.84BDC5CF-ON4A2579A8.0023CB58-4A2579A8.0024278F@au1.ibm.com> <5D97D44A-FF8A-4E67-B22D-FB6019162800@ve7jtb.com> <CAGmQQ9fA6DT=-uBZUFgB=Kz6zr=eGSQUUp6X0w1QyD=O0wZy5Q@mail.gmail.com> <1329626093.59538.YahooMailNeo@web31804.mail.mud.yahoo.com> <CAGmQQ9egR9DGg6LTQVzVxiq1of=WT2Ysv9EEzoK+5b7evwfiOg@mail.gmail.com> <1329860601.42679.YahooMailNeo@web31806.mail.mud.yahoo.com> <5F0D5C92-1228-4A3E-8CFF-05DC309B4084@ve7jtb.com> <2BFDC979-1767-4CD7-9D22-B7657EB15121@gmail.com> <6F478836-0DB8-4D7F-8954-5D127C0DA6AE@ve7jtb.com> <CAEwGkqBZfE_n7wRWN33_jT2C8Yh0LfSy5Ex2pt+34KquiCw80A@mail.gmail.com> <C9A3D0A2-C845-4C71-90EC-1B3D01F48627@ve7jtb.com> <CAGmQQ9egdL-TtHtYpRUtL+6CNK=BfRWTM1J4gDZ2akivBokqMQ@mail.gmail.com> <34134676-9D51-4975-AD77-8AD34C3342B7@gmail.com> <CAGmQQ9exFKLCC3nbabgcoDhhfQxfDUcwydORbTtqh7v=tzwW5g@mail.gmail.com>
To: Wenjie Lin <lin.820@osu.edu>
X-Mailer: Apple Mail (2.1257)
Cc: "Lee, David" <david.lee10@hp.com>, "oauth@ietf.org (oauth@ietf.org)" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] A Scope Attack against OAuth 2.0
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Feb 2012 01:12:33 -0000

On 24 Feb 2012, at 01:02, Wenjie Lin wrote:

> As we have shown in our Feb 17th email, the negative consequence is a violation by the user of the service agreement, that is, the user is able to play the game but the client cannot post messages on behalf of the user.

That's not a negative within the context of the OAuth protocol, which protects the users interests, not the clients. It looks as though with the current wording, it's basically not possible to be compliant (very mildly) in this scenario.

But as John Bradley pointed out, it's completely legitimate for a client to give the "game" full permissions, and then edit the scope afterwards (though I can't find an explicit reference in the draft, I expect it to be covered by one of the "This is out of scope" or revocation clauses).

Implementations that want to allow clients to enforce the scope contract with the user could always just implement a method to get the actual scope back (like facebook), but it's not an attack against the protocol or user..

v2.23.0 | Report a Bug | By Email