IETF Logo Mail Archive

Re: [OAUTH-WG] A Scope Attack against OAuth 2.0

William Mills <wmills@yahoo-inc.com> Sat, 18 February 2012 02:40 UTC

Return-Path: <wmills@yahoo-inc.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BEE2E21E8013 for <oauth@ietfa.amsl.com>; Fri, 17 Feb 2012 18:40:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.182
X-Spam-Level:
X-Spam-Status: No, score=-17.182 tagged_above=-999 required=5 tests=[AWL=0.416, BAYES_00=-2.599, HTML_MESSAGE=0.001, USER_IN_DEF_WHITELIST=-15]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wRA5zeJks3km for <oauth@ietfa.amsl.com>; Fri, 17 Feb 2012 18:40:19 -0800 (PST)
Received: from nm22.bullet.mail.bf1.yahoo.com (nm22.bullet.mail.bf1.yahoo.com [98.139.212.181]) by ietfa.amsl.com (Postfix) with SMTP id 1D64C21E800C for <oauth@ietf.org>; Fri, 17 Feb 2012 18:40:19 -0800 (PST)
Received: from [98.139.212.147] by nm22.bullet.mail.bf1.yahoo.com with NNFMP; 18 Feb 2012 02:40:14 -0000
Received: from [98.139.212.227] by tm4.bullet.mail.bf1.yahoo.com with NNFMP; 18 Feb 2012 02:40:14 -0000
Received: from [127.0.0.1] by omp1036.mail.bf1.yahoo.com with NNFMP; 18 Feb 2012 02:40:14 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 422780.81929.bm@omp1036.mail.bf1.yahoo.com
Received: (qmail 5120 invoked by uid 60001); 18 Feb 2012 02:40:13 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo-inc.com; s=ginc1024; t=1329532813; bh=ARXPztYVMmxnyw8w51ISgtTsrxQ+P7hlnWg04mr6id8=; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=fdSlq8Prq5wsgWnlxPqxUvHjkIpC3ILjYLiQFzMvy2bwnTITtEYChOrgTUvhoh4X3GcwNN0o4yq5ObkVRQSu9xBORBb3KIoSf12q6wE4ERtIKbYg92luuh17hPefcPr6bZwvs9fVuDm0CONf1betkBFlEokvsLnezfbJVSum4Lk=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=ginc1024; d=yahoo-inc.com; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=XucK1m70sEmmulO15Kv6yIwBxvB3bfULv6I3SK1mia444xOPnYppp9k7sqh58rwEBs1aPmlCazjaHGjmLMdXxpTYu9AEwnMnmlH33E0pPjDid/3u7gadNh70RpX7PMTv0TZjKI6xEgjyj07GTEgVsjoFC86eDr+BBj+awOey21c=;
X-YMail-OSG: rIwgEl8VM1lVHt0u3J3AQoFeNO_OFzilXbQPDy1mIq1C8qW WvS8cDwmxBHFdeRhk17sHLQfM17wzopQzY5xKq4tFxLNf0frk0S3SQe7zG5Z ZRuSppkb395bAsa.y2d1KtVgniPzScBRfSbixl6rMDbE63OTR7kHwgiKEufC KlmM.M9YnsDpVEOEAEkdJP7oG2ohU2mH0AQF4scl8JNZuGoE7HS5eBHzOxhp uvwbaDsdJIl1fxh8CNo9eRqam3nzI28M7ceSnoG3AdxOMTwIuqzlqQhoTlxj LOYBBqhrasnW85t5w3fYTv.HiE1ylIvnm17vSxEWX3H43bzunrR_dT7jTvxQ tEZw6udK4ilD1_LSSLNJH2STy_srsifKDxkGrbWcvbo2gjHdMoob7DFjl8bn MBaNtgf_tXxq.QjX3vSa7xU0KtJJ4q73g3SKVGkFf6GwJQkwdKP0vVDEZHd_ esUamCBAHCB.4c.NNxpl6ZGAWiAaJTe6JVLtLe7DoG5RJdygkgmF0S4ujGCW ZxKqmPje4FXzWJNNKFD44FsJsqHkt1ZX8lgBkfLbKW0XctVkDXAArZQSmdmx YDHveMxPHC4_2IVkORQ--
Received: from [209.131.62.115] by web31808.mail.mud.yahoo.com via HTTP; Fri, 17 Feb 2012 18:40:13 PST
X-RocketYMMF: william_john_mills
X-Mailer: YahooMailWebService/0.8.117.340031
References: <CAGmQQ9eorSS8jWgHZzw_Bq6Eb4Qj+fZ0NUuQx_KJwC_rasUCnA@mail.gmail.com>
Message-ID: <1329532813.89091.YahooMailNeo@web31808.mail.mud.yahoo.com>
Date: Fri, 17 Feb 2012 18:40:13 -0800
From: William Mills <wmills@yahoo-inc.com>
To: Wenjie Lin <lin.820@osu.edu>, "oauth@ietf.org" <oauth@ietf.org>
In-Reply-To: <CAGmQQ9eorSS8jWgHZzw_Bq6Eb4Qj+fZ0NUuQx_KJwC_rasUCnA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="258328648-1100079058-1329532813=:89091"
Subject: Re: [OAUTH-WG] A Scope Attack against OAuth 2.0
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: William Mills <wmills@yahoo-inc.com>
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 18 Feb 2012 02:40:20 -0000

I don't think the problem as described is an attack per se, the user is able to modify the rights being granted.  The user is after all in control of what they want to allow.  In this case it looks like FBs implementation is pretty loose with the games apps and there's no guarantee you'll get the rights you want as a game developer.


What this scenario mean is that the integrity of the request from the game company to FB via the user's context does not have sufficient integrity guarantee.  It is certainly possible for the auth server to have a registry of known clients and expected scopes, and in fact the auth server is expected to communicate to the user what they are approving.


Can an attacker cause a user to approve a token with an unexpected scope?  That would be a big problem.



________________________________
 From: Wenjie Lin <lin.820@osu.edu>
To: oauth@ietf.org 
Sent: Friday, February 17, 2012 6:07 PM
Subject: [OAUTH-WG] A Scope Attack against OAuth 2.0
 

We describe an attack on OAuth 2.0 (draft-ietf-oauth-v2-23),
called scope attack, provide a
live-demo of the attack on Facebook, and propose a fix with discussions.
 
Scope Attack
OAuth authorization of services is
associated with service agreement scope. For instance, Client provides an
online game to User with a service agreement scopeA: User authorizes Client to
access his profile information and to post messages on his behalf. A
malicious User can request for online game with service agreement scopeA, manipulate the scope field, and change
it to scopeB: User authorizes Client to access his profile information. User can
still play the games,  yet Client
can’t post messages on User’s behalf, as originally agreed.
OAuth 2.0 authorization code grant
and implicit grant are vulnerable to the scope attack. 
 
A Scope Attack Scenario
(1) Authorization Server: Facebook
(authorization code grant)
(2) Client: Online gaming company Game.
It allows User to play the games with the service agreement scopeA: User authorizes Game to access his
profile information and post messages on his behalf.
(3) User: malicious User with an
account at Facebook. He attempts to play the games yet without authorizing Game
to post messages on his behalf, that is, he changes the scope from A to B:
authorization of Client to access his profile information only.
 
Attack Workflow
(1)User
requests Game (Client) for permission to play games, instantiating OAuth 2.0
with scopeA.
(2)Game
generates an authorization request with a scope specification A, and redirects User to Facebook with
the request.
(3)User
manipulates the scope field and changes it to scopeB. The modified request is then sent to Facebook.
(4)User
grants the modified request.
(5)Facebook
redirects User back to Game with the authorization code.
(6)Game
exchanges the authorization code for an access token. However it has no
knowledge that the scopeA has been
changed to scopeB. 
(7)Game
provides online gaming service to User. However, Game can’t post messages on
User’s Facebook page.
 
A Live-Demo: Facebook
and CastleVille (IE and Safari tested)
Step 1: Login Facebook and visit Facebook
Apps and Game page 
https://www.facebook.com/games
Step 2: Click CastleVille.
Step 3: When you see the Request
for Permission page, instead of 
clicking “Allow”, change the scope
field in the URL from your browser from  “scope=email%2Cpublish_stream%2Cpublish_actions” to “scope=email%2Cpublish_stream”.
Step 4: After the modification,
press ENTER to send the modified 
request to Facebook. Now you will
see the modified Request of Permission page.
Step 5: Click on “Allow” button and
enjoy the game.
(video: http://www.youtube.com/watch?v=zkmjLa3VU9w)
 
Impact
Client provides services to
malicious User yet with the modified service agreement scope by User’s design. 
 
Manipulating Scope
Field
The scope field in access token
response is required ONLY IF Authorization Server observes that the User authorized
scope is different than the original scope. Consequently, User can manipulate
the scope field so that Authorization Server cannot detect the change of the scope.
As a result Client provides the services yet can’t obtain the information that
is specified in the scope of the original service agreement.
Client can verify the service agreement scope
by checking all the fields against the original User request before providing
the requested services to User.  For
instance, Client can verify the granted permissions if Authorization Server
(e.g. Facebook)  provides an API. However,
this is out of the scope of OAuth 2.0, and Client may not check it. We observe:
all top five games recommended by Facebook are vulnerable to the scope attack. 
 
Proposed Fix
Draft-ietf-oauth-v2-23 Section 5.1:
Change from
“scope
         OPTIONAL, if
identical to the scope requested by the client,
         otherwise REQUIRED.”
to 
“scope REQUIRED” /* scope: User authorized scope */
 
Remarks
(1)The
proof of the correctness of OAuth with our proposed fix will be published in an
article: “OAuth 2.0 – Attacks, Fixes,
Correctness, and Generalizations, Wenjie Lin, David Lee and Steve Lai, to
appear”.
(2)The
implicit grant is also vulnerable to the scope attack. However it cannot be
fixed by enforcing scope field in access token response as above; User can change
the scope in response before being redirected to Client.
 
Wenjie Lin, The Ohio State University 
David
Lee, HP Labs and The Ohio State University
Steve Lai, The Ohio State University
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email