IETF Logo Mail Archive

Re: [OAUTH-WG] A Scope Attack against OAuth 2.0

Wenjie Lin <lin.820@osu.edu> Fri, 24 February 2012 01:02 UTC

Return-Path: <wenjielin.bupt@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6887D11E8096 for <oauth@ietfa.amsl.com>; Thu, 23 Feb 2012 17:02:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.76
X-Spam-Level:
X-Spam-Status: No, score=-2.76 tagged_above=-999 required=5 tests=[AWL=0.216, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7rk-r7ER500X for <oauth@ietfa.amsl.com>; Thu, 23 Feb 2012 17:02:52 -0800 (PST)
Received: from mail-iy0-f172.google.com (mail-iy0-f172.google.com [209.85.210.172]) by ietfa.amsl.com (Postfix) with ESMTP id A931611E808E for <oauth@ietf.org>; Thu, 23 Feb 2012 17:02:52 -0800 (PST)
Received: by iagf6 with SMTP id f6so2819239iag.31 for <oauth@ietf.org>; Thu, 23 Feb 2012 17:02:52 -0800 (PST)
Received-SPF: pass (google.com: domain of wenjielin.bupt@gmail.com designates 10.50.154.200 as permitted sender) client-ip=10.50.154.200;
Authentication-Results: mr.google.com; spf=pass (google.com: domain of wenjielin.bupt@gmail.com designates 10.50.154.200 as permitted sender) smtp.mail=wenjielin.bupt@gmail.com; dkim=pass header.i=wenjielin.bupt@gmail.com
Received: from mr.google.com ([10.50.154.200]) by 10.50.154.200 with SMTP id vq8mr75805igb.14.1330045372461 (num_hops = 1); Thu, 23 Feb 2012 17:02:52 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:cc:content-type; bh=usYMtwRzgPhBE+QCP78egj75irXuyq1/+B/jmfzakdw=; b=eRJYRRLmQJTrtvIIg0uJe2dMQr52E+RGnSC7I9gcqxCjud9rdXLfTY3oGeEUEl3UG6 HoQejq4EG8MccPnoCeyCYzputA09N4cs0j+z5wDTMCMEaGL0ATHxBPScQOmZxSSjyrRW 5bUZu1PElxHviMQ8AhzyI8ndpt96JOaxR3dYs=
Received: by 10.50.154.200 with SMTP id vq8mr64347igb.14.1330045372186; Thu, 23 Feb 2012 17:02:52 -0800 (PST)
MIME-Version: 1.0
Sender: wenjielin.bupt@gmail.com
Received: by 10.42.139.138 with HTTP; Thu, 23 Feb 2012 17:02:32 -0800 (PST)
In-Reply-To: <34134676-9D51-4975-AD77-8AD34C3342B7@gmail.com>
References: <CAGmQQ9eorSS8jWgHZzw_Bq6Eb4Qj+fZ0NUuQx_KJwC_rasUCnA@mail.gmail.com> <OF7789D618.84BDC5CF-ON4A2579A8.0023CB58-4A2579A8.0024278F@au1.ibm.com> <5D97D44A-FF8A-4E67-B22D-FB6019162800@ve7jtb.com> <CAGmQQ9fA6DT=-uBZUFgB=Kz6zr=eGSQUUp6X0w1QyD=O0wZy5Q@mail.gmail.com> <1329626093.59538.YahooMailNeo@web31804.mail.mud.yahoo.com> <CAGmQQ9egR9DGg6LTQVzVxiq1of=WT2Ysv9EEzoK+5b7evwfiOg@mail.gmail.com> <1329860601.42679.YahooMailNeo@web31806.mail.mud.yahoo.com> <5F0D5C92-1228-4A3E-8CFF-05DC309B4084@ve7jtb.com> <2BFDC979-1767-4CD7-9D22-B7657EB15121@gmail.com> <6F478836-0DB8-4D7F-8954-5D127C0DA6AE@ve7jtb.com> <CAEwGkqBZfE_n7wRWN33_jT2C8Yh0LfSy5Ex2pt+34KquiCw80A@mail.gmail.com> <C9A3D0A2-C845-4C71-90EC-1B3D01F48627@ve7jtb.com> <CAGmQQ9egdL-TtHtYpRUtL+6CNK=BfRWTM1J4gDZ2akivBokqMQ@mail.gmail.com> <34134676-9D51-4975-AD77-8AD34C3342B7@gmail.com>
From: Wenjie Lin <lin.820@osu.edu>
Date: Thu, 23 Feb 2012 17:02:32 -0800
X-Google-Sender-Auth: 9dN_GF1_BJWOKek2LcWNuS-byDE
Message-ID: <CAGmQQ9exFKLCC3nbabgcoDhhfQxfDUcwydORbTtqh7v=tzwW5g@mail.gmail.com>
To: Kristoph <kristoph@gmail.com>
Content-Type: multipart/alternative; boundary="14dae9340821f1c0ac04b9ab5154"
Cc: "Lee, David" <david.lee10@hp.com>, "oauth@ietf.org (oauth@ietf.org)" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] A Scope Attack against OAuth 2.0
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Feb 2012 01:02:54 -0000

As we have shown in our Feb 17th email, the negative consequence is a
violation by the user of the service agreement, that is, the user is able
to play the game but the client cannot post messages on behalf of the user.*
***


*"Scope Attack*

OAuth authorization of services is associated with service agreement scope.
For instance, Client provides an online game to User with a service
agreement scope* A:* *User authorizes Client to access his profile
information and to post messages on his behalf*. A malicious User can
request for online game with service agreement scope* A*, manipulate the
scope field, and change it to scope* B*: *User authorizes Client to access
his profile information*. User can still play the games,  yet Client can’t
post messages on User’s behalf, as originally agreed."

**

- W. Lin and D. Lee

On Thu, Feb 23, 2012 at 4:22 PM, Kristoph <kristoph@gmail.com> wrote:

> Privilege de-escalation is not an attack. Your argument comes down to "I
> can change something and no error is shown so it's an attack" but you've
> not actually shown any sort of negative consequence because, you know,
> there isn't one.
>
> ]{
>
> On Feb 23, 2012, at 3:55 PM, Wenjie Lin wrote:
>
> > We assume that the authorization server is trustworthy and won’t do
> anything that violates the spec. We want to prevent attacks by the client
> on the user, as well as the attacks by the user on the client.
> >
> > The scope attack is by the user on the client. From the point view of
> the user it is not an attack. However, the client takes it as an attack;
> the user violates the service agreement by the client who may have no
> knowledge about it, unless the authorization server always sends him the
> authorized scope information when granting an access token, as we've
> proposed, and the client can figure out the difference/violation and decide
> how to deal with it.
> >
> > When the client identifies the difference between his specified scope
> and that in the access token, he can choose to abort or continue the
> service, or take other actions. This is an implementation issue and is
> beyond the scope of OAuth. There are other possible anomalies from
> implementations, such as revocation of the scope by the user. However, they
> are not well specified in the current spec and we take them as an
> implementation rather than a protocol issue.
> >
> > There might be applications where the client would not perceive scope
> attack as an attack if he could allow any changes of the service agreement
> scope by the user. If OAuth were aimed for such clients only, it would
> significantly limit the applicability of the protocol.
> >
> > We appreciate the insightful discussions on how the client could check
> and handle the scope differences and beyond. They are extremely helpful for
> the implementers.
> >
> > -W. Lin and D. Lee
> >
> > On Tue, Feb 21, 2012 at 4:59 PM, John Bradley <ve7jtb@ve7jtb.com> wrote:
> > Yes,  OpenID Connect deals with the issue by using a signed request
> extension in the cases where the client needs to be certain the request is
> only from the legitimate client and not tampered with.
> >
> > As you observe anyone can send a request the client_id and redirect_uri
> are not secret in any way.
> >
> > Though a well behaved client should be using state to check for XSRF
> attacks. (that is a real attack)
> >
> > Signed requests have uses,  but are not core to OAuth.
> >
> > John B.
> > On 2012-02-21, at 9:38 PM, André DeMarre wrote:
> >
> > > The consensus seems to be, and I agree, that this shouldn't be
> > > considered an "attack," but that's really just nomenclature. I do
> > > concede that there is a spec issue here that I failed to appreciate at
> > > first. Where draft-ietf-oauth-v2-23 section 3.3 says "If the issued
> > > access token scope is different from the one requested by the client,"
> > > it suggests that the authorization server knows what was requested by
> > > the client. That isn't strictly true; it only knows what was in the
> > > authorization request, not who put it there. For the client to truly
> > > know what the auth server wants, (1) it would need to communicate
> > > directly with the client, (2) the client would need to preregister its
> > > desired scope, or (3) the client would need to sign a message that the
> > > user passes to the authorization endpoint. 1 and 3 are clearly not
> > > compatible with the spec, 2 might be; but that's not the point.
> > >
> > > A more correct statement in section 3.3 would be "If the issued access
> > > token scope is different from the one in the authorization request..."
> > >
> > > Regards,
> > > Andre DeMarre
> > >
> > > On Tue, Feb 21, 2012 at 3:01 PM, John Bradley <ve7jtb@ve7jtb.com>
> wrote:
> > >>
> > >> On 2012-02-21, at 7:32 PM, Nicholas Devenish wrote:
> > >>
> > >>>
> > >>> On 21 Feb 2012, at 21:59, John Bradley wrote:
> > >>>> This 'attack'  is one that only works with badly designed clients
> that are making unwarranted assumptions about the behaviour of the
> Authorization server.
> > >>>
> > >>> Unwarranted assumptions? The spec in 3.3 says:
> > >>>
> > >>> "If the issued access token scope is different from the one
> requested by the client, the authorization server MUST include the "scope"
> response parameter to inform the client of the actual scope granted."
> > >>>
> > >>> - It says MUST; therefore any server that doesn't do this is
> non-compliant?
> > >>> - It says scope different from the one requested by the *client*.
> The possibility that the resource owner intercepts this request and changes
> it doesn't seem to be considered here (it is not strictly the clients
> request if that happens)
> > >>> - The purpose seems to be that the client should be told if the
> scope changes; this would be important if the client requires a certain
> scope level to work (though this could be solved more generally in many
> other ways that wouldn't be in the scope of the oauth spec)
> > >>>
> > >>> Thus, assuming that the server is stating compliance, isn't the
> assumption completely warranted?
> > >>
> > >> No the authorization server may at any time for any reason remove a
> scope from a granted access_token or refresh_token.
> > >>
> > >> Reporting back changes in scopes granted along with the access_token
> is a convenience not a security feature.
> > >>
> > >> Assuming it is a security feature and those scopes will continue to
> be valid for the token after granting is a bad design given the OAuth 2
> spec.
> > >>>
> > >>>> The only way for a client to know if a token has a scope it to try
> it, or use a introspection endpoint.  End of story.
> > >>>
> > >>> An introspection endpoint obviously isn't part of the specification,
> so isn't relevant to the discussion (though it solves the discussed
> facebook issue).
> > >>>
> > >>> You are right though, that the only way for a client to know for
> sure is to try to use it; Even if the spec mandated always returning the
> scope to the client, the user could always intercept the return redirection
> (assuming a non-confidential client) and change the scope there.
> > >>>
> > >>> Perhaps MUST should change to SHOULD, given that this essentially
> seems unenforceable?
> > >>
> > >> A SHOULD may lead people to the conclusion that it is secure.   I am
> happy with saying it is not secure the only want to know is to have the
> client be prepared to deal with tokens that do not contain the desired
> scope when used.   That is the only 100% solution.
> > >>
> > >> John B.
> > >>
> > >>
> > >>
> > >>
> > >> _______________________________________________
> > >> OAuth mailing list
> > >> OAuth@ietf.org
> > >> https://www.ietf.org/mailman/listinfo/oauth
> > >>
> >
> >
> >
> >
> > --
> > Wenjie Lin
> > _______________________________________________
> > OAuth mailing list
> > OAuth@ietf.org
> > https://www.ietf.org/mailman/listinfo/oauth
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>



-- 
Wenjie Lin

v2.23.0 | Report a Bug | By Email