Re: [OAUTH-WG] OAuth 2.0 Mix-Up Mitigation: My Impressions

John Bradley <> Sat, 06 February 2016 14:58 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 5814B1A033A for <>; Sat, 6 Feb 2016 06:58:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id e5nGKCxAa7SD for <>; Sat, 6 Feb 2016 06:58:50 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:400d:c04::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 1EA9D1A0338 for <>; Sat, 6 Feb 2016 06:58:50 -0800 (PST)
Received: by with SMTP id y9so85275341qgd.3 for <>; Sat, 06 Feb 2016 06:58:49 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=content-type:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=Ebk1E5CkLkDedu7vPNWS+cjpjFavHHf+nsG/QQFmzsc=; b=RuXYjAmT8pzmCIQmG2PlQUM1EIX+gqZTvTSyAyb5Uf9uYUro5dcXUWMlfJqbLipe7N OOSCVk2EO9ZbhuSTrdP7RVEe66lSvSEJzp2kNnzYnz9REIKOL0DjJw5b5iQAL+HOyvJs RXQkAc+vtoYMGDQrguknvaJjkNNxL7bjBGmmNWcRtwCm+/om+NHVQi2p8S247nq8aMyD HAEbJjMt4+Xv1vYwYDWoFDLkAlYmFUXtaXb8w0Vvrp7GOdr2K1eaVw1NkyjcoaLOrxBF Nje1JhYPMGznVFa2PJUAdcHRKLfaY/yJTGNivTqZrgw+50PXNwIEqKWFXHrv7TplTbEk cEfg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=Ebk1E5CkLkDedu7vPNWS+cjpjFavHHf+nsG/QQFmzsc=; b=HHByC2Lk2h6SNIu7oHQ8KN4XCTD2ekauETpNwxHt9FeS0soPW6EKfNhegEwlvGfJ5G WWucnGH6JrYcE2RY5uScNZdAOJTkIjBGkw8tKy+KnKd2x5fYAQzdA6fl76JXBzNRtr6D rOGEkoHSmKqfJSFTM4z+8rdFaJe1U001XYs1MBYctU57Q9lKFaKSm/Wni5j1Fui4k/Eh i1vs9qSk2B/90JZaOfr9wSzlDZRkFrme89G7zjSXo72fMwxrQr3HMLxS/uLucLzUGSmi rc8dPvwuP0ptCkYk/VODAwJCbGQH2G08YdCmVOKsTtVxeHj7R+UY+tvuz12PRP3IOnEy Hzhw==
X-Gm-Message-State: AG10YORb7RhW3CZtGp0/ti25LZt7vghrF01OT6HvOQT4EsmL9ZhY6YEHaAzDYgfv38IIiA==
X-Received: by with SMTP id n83mr24294696qhn.41.1454770729086; Sat, 06 Feb 2016 06:58:49 -0800 (PST)
Received: from [] ([]) by with ESMTPSA id y99sm10215372qge.3.2016. (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Sat, 06 Feb 2016 06:58:48 -0800 (PST)
Content-Type: multipart/alternative; boundary="Apple-Mail=_97633AB3-1A50-4A2A-BC00-8DD3B319156D"
Mime-Version: 1.0 (Mac OS X Mail 9.2 \(3112\))
From: John Bradley <>
In-Reply-To: <>
Date: Sat, 06 Feb 2016 11:58:43 -0300
Message-Id: <>
References: <> <>
To: Torsten Lodderstedt <>
X-Mailer: Apple Mail (2.3112)
Archived-At: <>
Cc: "" <>
Subject: Re: [OAUTH-WG] OAuth 2.0 Mix-Up Mitigation: My Impressions
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 06 Feb 2016 14:58:54 -0000

I think Toresen states it well.

The reason we looked at 2 again is that #1 in some of the attacks was being used to leak the code.  
In some of those cases the attacker had the client credentials and could use the directly to get access tokens.

In other cases the attacker doesn’t have the client credentials, but could still get access to the information protected  by the API by presenting the code back to the client as part of a new flow, and bind it to a new account or if the clint is unwise and using the code for authentication, impersonate the user.

There are certainly other ways an attacker could get code, via logs, open redirectors etc.
The closest mention of this in 6819 is sec ,  but that considered  two clients with two client_id.
that was mitigated by having the client send it’s client_id with code to exchange it.

The difference with 2 is that only one client_id is used, and that is not mitigated by the current counter measures in 6819.

Perhaps referring to 6819 sec is a distraction, in this case.   We however were concerned at the time about codes leaking and being replayed but missed some of the ways that could happen.

The two opportunities that we are leaving for attackers,  1 not knowing who is sending the authorization response, and not tying the authorization request and response to the same browser instance open a whole world of attacks.

What we think currently is that there are two basic flaws that are being exploited (some attacks use one or the other and some use them together) .   We should probably keep the fixes separate from documents that are more how to guides to attack un-patched clients.

Both issues are around the client being mislead or confused by an authorization response, in that it is coming back from the wrong place or in the wrong browser instance.  That is why the two mitigations probably belong in the same document.

John B.

> On Feb 6, 2016, at 8:32 AM, Torsten Lodderstedt <> wrote
> Hi Hannes,
> #2 is not directly described in the paper but was used to replay the code/token the attacker obtained via #1. In my observation, the discussion in Darmstadt has shown that OAuth (and its built-in mitigations) so far focused on preventing code/token leakage but we lake mitigation for replay in this particular case.
> #2 does not require the attacker to control the network or the victim's device. The attacker (using #1 or other attacks, e.g. on referrer headers or log files) obtains a code and injects this code into a legitimate OAuth/OIDC flow on its device. All she has to do is starting a authz code flow on the legitimate client, the particular code was issued for, and replace the code in the response from the AS. From the client's perspective, the response looks ok, since it carries the correct state value bound to the client in the particular user agent (since this is not a XSRF). But since there is no way (currently) to bind the code to a certain user agent, the client would accept the code and exchange it for token(s) on the AS. That gives the attacker access to resources of the victim and/or impersonates the attacker as the victim.
> There are several way to mitigate this issue: 
> - OIDC has the "code id_token" response type, which uses nounce and c_hash in the id_token to bind the code to the user agent session
> - in Darmstadt we came up with the idea to utilize the state value for that purpose. 
> Do we need to describe the threat and mitigation if draft-jones-oauth-mix-up-mitigation? I don't think so.
> We could describe the mechanisms in a different draft.
> I personally would prefer (and Phil already states this as well) the WG to work on a single draft, providing a consolidated view on all threats caused by the more dynamic usage of OAuth. We could also include all threats/mitigations/issues we have seen in the wild since RFC 6749 was published. This would also include stronger advice regarding XSRF prevention and open redirectors. I don't think we serve the community well be spreading those issues and mitigation over 3 or 4 drafts.
> best regards,
> Torsten. 
> Am 04.02.2016 um 21:27 schrieb Hannes Tschofenig:
>> Hi all,
>> when I posted the call for adoption of the 'OAuth 2.0 Mix-Up Mitigation'
>> solution <draft-jones-oauth-mix-up-mitigation> I wasn't expecting such a
>> heavy debate on the list. While the call for adoption is still ongoing I
>> would like to share my view as someone who has to judge consensus in a
>> few days together with Derek.
>> Regardless of where we are with respect to oauth-meta vs.
>> draft-jones-oauth-mix-up-mitigation we should keep an eye on the threats
>> we are trying to address (and we have to document them).
>> Here is how I would summarize the situation after reviewing the drafts,
>> blog posts and various emails sent to the list.
>> We have two types of threats:
>> #1: Threat described in the papers referenced in my email to the list
>> <>
>> The attack assumes that '... the presence of a network attacker who can
>> manipulate the request in which the user sends her identity to the RP as
>> well as the corresponding response to this request ...' (see page 15 of
>> <>).
>> I believe that this threat is well documented (at least in the paper).
>> #2: Cut-and-Paste Attacks
>> Here things get a bit more difficult since the threat is less well
>> described. In Section 7.3 of
>> <> Mike
>> makes an attempt to describe the attack and refers to Section
>> of RFC 6819, which talks about 'Code Substitution'. I am not convinced
>> that the description in RFC 6819 exactly matches the intention of
>> Section 7.3 of draft-jones-oauth-mix-up-mitigation-01 but I might be
>> misinterpreting.
>> Anyway, here is a copy-and-paste from the draft:
>>    A "cut-and-paste" attack is performed
>>    by the attacker creating what appears to be a legitimate
>>    authorization response, but that substitutes some of the response
>>    parameter values with values of the attacker's choosing.
>> Clearly, this attack makes different assumptions than what is stated in
>> the papers listed under item #1. It appears that the attacker will have
>> to be on the users device /browser itself. If that's true then the text
>> needs to state that.
>> Nat also provides a description of a similar attack in his blog post
>> under the name of 'Code Phishing' at
>> <>
>> In his description the attacker assumption is that the developer is
>> tricked into re-configuring the token endpoint so that the attacker is
>> able to obtain the authorization code.
>> While I believe the group is well advised to tackle the attack described
>> in item #1 to mitigate the attacks discovered late last year. I am
>> curious whether the group also sees the mitigation of threat #2 in scope
>> of this document. In some sense, one could argue that cut-and-paste is
>> more generic and a concern also for those cases where an OAuth client
>> does not talk to multiple ASs.
>> So, here are my questions:
>> - Can we describe the threat #2 in more details and by stating the
>> assumptions about the attacker?
>> I believe that this is important for understanding the attack within the
>> participants of the group but also for those who stumble over our
>> documents. Once we have a good description we should move on and answer
>> the next two questions:
>> - Should the document describe mitigations for attacks #1 and #2?
>> - Should the solution mandate a solution for dealing with both attacks?
>> Finally, we can talk about the details of the attack mitigation itself.
>> As far as the work from Mike (oauth-mix-up-mitigation) and Nat
>> (oauth-meta) is concerned Derek and I will find ways to ensure that the
>> prior work by all involved participants is appropriately attributed and
>> acknowledged!
>> Ciao
>> Hannes
>> _______________________________________________
>> OAuth mailing list
>> <>
>> <>
> _______________________________________________
> OAuth mailing list