Re: [OAUTH-WG] hijacking client's user account

Nat Sakimura <sakimura@gmail.com> Fri, 24 April 2015 04:53 UTC

Return-Path: <sakimura@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BCB251B2C88 for <oauth@ietfa.amsl.com>; Thu, 23 Apr 2015 21:53:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.199
X-Spam-Level:
X-Spam-Status: No, score=-0.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, J_CHICKENPOX_45=0.6, J_CHICKENPOX_56=0.6, J_CHICKENPOX_65=0.6, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rJfeJ0rrYT_5 for <oauth@ietfa.amsl.com>; Thu, 23 Apr 2015 21:53:23 -0700 (PDT)
Received: from mail-oi0-x231.google.com (mail-oi0-x231.google.com [IPv6:2607:f8b0:4003:c06::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EDC1E1B2C62 for <oauth@ietf.org>; Thu, 23 Apr 2015 21:52:45 -0700 (PDT)
Received: by oign205 with SMTP id n205so31920165oig.2 for <oauth@ietf.org>; Thu, 23 Apr 2015 21:52:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-type; bh=8NwyKv9DaqwR8eBDnLk5Odx6JJ4eCS9CRMhPQ/5u0Wo=; b=zGiFu6e/FqUarZrG7KH0mk26FdktYGLZcDv6MDkdoc6hQNoy3y2l+rponEi/z0L8NJ LgpB03iozUw4MABfkjFx1oqPSLBuJ81akvckSfRzhYs5s4IprTL82eCZDzSUz+GQ9TEj kOTMQ4V2uJ8r5SZ+1RIHD4fyP9dOMkXwzH303Q9TJr126BleHRzwYT/dA87sbn0KaeL7 rEUJXMjQKLV6yPRLX27COQuINZcepZK9MHngd20NE7gV8EQPtahH75OsLDt6bosgrCEA 3ilie2p1nE8364zug3jJZ9BqucLf8O88Jjm63NYsX44A3FpYYLv3M84tiZgQWKg/lzE3 JZ/A==
X-Received: by 10.60.148.225 with SMTP id tv1mr5552372oeb.14.1429851165302; Thu, 23 Apr 2015 21:52:45 -0700 (PDT)
MIME-Version: 1.0
References: <CAAd3nNoprEPext8x6roS=pyHWaNVZJ4r_5mtFGch88q2=TqaPA@mail.gmail.com> <E561F39A-A37F-48D6-AB74-1A4B7842DDC6@mit.edu> <CAEayHEPxhKrZPw=4+F3tvtPEP+0=tfT7AuFPEMkikbEGC8U64Q@mail.gmail.com>
In-Reply-To: <CAEayHEPxhKrZPw=4+F3tvtPEP+0=tfT7AuFPEMkikbEGC8U64Q@mail.gmail.com>
From: Nat Sakimura <sakimura@gmail.com>
Date: Fri, 24 Apr 2015 04:52:44 +0000
Message-ID: <CABzCy2AOE_ZrP65q61S7-FLGai8rrECKxYSSiWY1bg39gD-77w@mail.gmail.com>
To: Thomas Broyer <t.broyer@gmail.com>, Justin Richer <jricher@mit.edu>, mar adrian belen <maradrianbelen@gmail.com>
Content-Type: multipart/alternative; boundary=047d7b3a7f7eca269c0514712a9e
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/Qyc-fNYxJ_26RN2GIbNcHWZx4O4>
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] hijacking client's user account
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Apr 2015 04:53:24 -0000

You know, using email address as a verified user identifier is appallingly
bad idea. Even if it were verified at the enrollment time, if the mail
address was recycled, the original account holder is screwed. It has been
known for so many years now and finding that sites still do that makes me
sad.

Nat

2015年4月22日(水) 9:22 Thomas Broyer <t.broyer@gmail.com>om>:

> Also, this is not news:
> http://securityintelligence.com/spoofedme-social-login-attack-discovered-by-ibm-x-force-researchers/
>
> On Wed, Apr 22, 2015 at 5:02 PM Justin Richer <jricher@mit.edu> wrote:
>
>> This seems to be not a problem with OAuth but with misusing OAuth as an
>> authentication protocol:
>>
>> http://oauth.net/articles/authentication/
>>
>> And with trusting unverified claims from a third party IdP (such as a
>> self-asserted email address), which is covered in the OpenID Connect
>> specification, an authentication protocol built on top of OAuth:
>>
>> http://openid.net/specs/openid-connect-core-1_0.html#ClaimStability
>>
>> You should probably let the client know in this case that they should not
>> be using the email address as a key if they’re not verifying it themselves.
>> If the authentication article can be updated to include this misuse, please
>> help us amend it!
>>
>>  — Justin
>>
>> On Apr 20, 2015, at 8:55 PM, mar adrian belen <maradrianbelen@gmail.com>
>> wrote:
>>
>> Some web application are using oauth 2 technology as login alternative ,
>> i found a way how can i access client application using unverified
>> email(victim email) on
>>
>> oauth oauth provider, if oauth provider allows unverified email to use
>> it's oauth service which can abuse by the attacker, this is possible if the
>> client provider
>>
>> directly login the user(using oauth) if his email is already exists on
>> they record.
>>
>>
>> * user joe has account on CLIENT A using his email address
>> victimjoe@test.com, but does not have oauth provider account. attacker
>> knows that.
>>
>> * now the attacker create a new oauth provider account using
>> victimjoe@test.com.
>>
>> * because an unverified email can used the oauth provider oauth and the
>> CLIENT A is using oauth provider's oauth as an alternative login, the
>> attacker can now access
>>
>> victim's Client  Application(CLIENT A) account using the login
>> alternative  function.
>>
>>
>> you can try github(oauth provider) and  https://sprint.ly/  (client)
>>
>>
>> https://www.dropbox.com/s/jhrgn311i0e28pc/hijackoauthclient_x264.mp4?dl=0
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>