Re: [OAUTH-WG] Same Origin Method Execution (SOME)
Justin Richer <jricher@mit.edu> Mon, 29 June 2015 15:36 UTC
Return-Path: <jricher@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 279F91ACE1F for <oauth@ietfa.amsl.com>; Mon, 29 Jun 2015 08:36:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.755
X-Spam-Level:
X-Spam-Status: No, score=-1.755 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FRT_ADOBE2=2.455, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ln1DHZQHxT_3 for <oauth@ietfa.amsl.com>; Mon, 29 Jun 2015 08:36:28 -0700 (PDT)
Received: from dmz-mailsec-scanner-1.mit.edu (dmz-mailsec-scanner-1.mit.edu [18.9.25.12]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0D5041ACE1B for <oauth@ietf.org>; Mon, 29 Jun 2015 08:36:27 -0700 (PDT)
X-AuditID: 1209190c-f79296d000000622-27-559165f96cd3
Received: from mailhub-auth-3.mit.edu ( [18.9.21.43]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-1.mit.edu (Symantec Messaging Gateway) with SMTP id C7.6B.01570.9F561955; Mon, 29 Jun 2015 11:36:25 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-3.mit.edu (8.13.8/8.9.2) with ESMTP id t5TFaPIV014596; Mon, 29 Jun 2015 11:36:25 -0400
Received: from artemisia.richer.local (static-96-237-195-53.bstnma.fios.verizon.net [96.237.195.53]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id t5TFaNqU008358 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Mon, 29 Jun 2015 11:36:24 -0400
Content-Type: multipart/alternative; boundary="Apple-Mail=_6C82EF66-62B3-4525-9C97-D1FAC0AF1E0B"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2098\))
From: Justin Richer <jricher@mit.edu>
In-Reply-To: <CABzCy2CizHGqQFyMvo2BKHZHC0JgVqweK=YS7Ycsb01o2cfE1g@mail.gmail.com>
Date: Mon, 29 Jun 2015 11:36:22 -0400
Message-Id: <14F3933F-C943-4B7E-8C92-11CB227FB1A7@mit.edu>
References: <B1C45938-9B95-4059-8235-0745216DFF60@adobe.com> <DACC2E36-E0E1-47C9-BC8F-CDEB1C13939D@ve7jtb.com> <51B1A21C-4893-403E-AE00-33F4B7827346@adobe.com> <CABzCy2AA+MbxS-_GX3m-cYL9GVdOYjLhkEYGVb4q_8wbz7wUjQ@mail.gmail.com> <CABzCy2CizHGqQFyMvo2BKHZHC0JgVqweK=YS7Ycsb01o2cfE1g@mail.gmail.com>
To: Nat Sakimura <sakimura@gmail.com>
X-Mailer: Apple Mail (2.2098)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprBKsWRmVeSWpSXmKPExsUixCmqrfszdWKowdLf1hYnL/SzWJx8+4rN 4sytFYwOzB7TfvYwe+ycdZfdY8mSn0wBzFFcNimpOZllqUX6dglcGSs//mMp2FNecXNiB1MD 4/O0LkZODgkBE4n/VyezQ9hiEhfurWfrYuTiEBJYzCQx7+IjVghnI6PEg1troZyHTBJts/8w dzFycDALJEg8WWQF0s0roCfx6OljsEnCAtYSFxddZAGx2QRUJaavaWECsTkFAiU2H9zEAtLK AhSfdU8YJMws4Cnx7Wg3M8QYK4nZM59BHbGSSeLwvndgCRGg+qa9h1lBeiUEZCW+bpWbwCgw C+GIWUiOmAU2VVti2cLXzBC2psT+7uUsmOIaEp3fJrIuYGRbxSibklulm5uYmVOcmqxbnJyY l5dapGuol5tZopeaUrqJERwBkjw7GN8cVDrEKMDBqMTD22A/IVSINbGsuDL3EKMkB5OSKC+r x8RQIb6k/JTKjMTijPii0pzU4kOMEhzMSiK8TLFAOd6UxMqq1KJ8mJQ0B4uSOO+mH3whQgLp iSWp2ampBalFMFkZDg4lCV4uYKQLCRalpqdWpGXmlCCkmTg4QYbzAA3fkQIyvLggMbc4Mx0i f4pRUUqcdyNIQgAkkVGaB9cLS1CvGMWBXhHmtQBZwQNMbnDdr4AGMwENXuXdBzK4JBEhJdXA mOL/JfPAltk7b27oVln0skF5k77xBOa91etlL6077lVY4nRudv2mdSbdl7asXZOyJOPJ+R3H 3olJ+v5dE33ftDaGu3fLgUfT+12yjZakLHzYleVQ2sl7Q+/UTlMpOdmFkwJ+npjSnBkgO2PR kiuyi/kv3JGUOLf9u7u198mjG3bWL3gvWC3/b68SS3FGoqEWc1FxIgDhr7v3KwMAAA==
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/TAwIaBDYAw-jfZhU8P9i8dAjXhQ>
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Same Origin Method Execution (SOME)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Jun 2015 15:36:32 -0000
Right, even though it’s not an OAuth problem, it’s a problem that is more likely to come up and cause damage in situations that OAuth brings about (the pop-up redirect page that Nat mentions). So, just like the advice to use the system browser on mobile platforms, I think it’d be good to have actual advice for developers so that they can avoid doing this. — Justin > On Jun 29, 2015, at 11:22 AM, Nat Sakimura <sakimura@gmail.com> wrote: > > s/Year/Yeah/ > > 2015-06-30 0:22 GMT+09:00 Nat Sakimura <sakimura@gmail.com <mailto:sakimura@gmail.com>>: > Year, from my skimming of the paper, it requires a page that executes arbitrary callback function given as a parameter. > It is absolutely stupid to do it, but apparently there are such pages. > Prime candidate happens to be OAuth Redirection Endpoint. > By itself, it probably will not do much harm because you cannot do much things in that window itself, > but if the window is a pop-up and keeps a parent context, it will essentially be able to > remote control the parent window to do much more harm. > > So, it is not OAuth problem per se. > > However, it may be worthwhile to tell the developers to make sure that redirection endpoint > accepts only valid oauth payload, and do not execute anything in the parameter. > > Nat > > 2015-06-25 19:48 GMT+09:00 Antonio Sanso <asanso@adobe.com <mailto:asanso@adobe.com>>: > hi John > > On Jun 25, 2015, at 1:42 AM, John Bradley <ve7jtb@ve7jtb.com <mailto:ve7jtb@ve7jtb.com>> wrote: > >> Thanks for the info, >> >> As I read it, this is an attack on Java Script callbacks. >> >> The information tying it to OAuth is not clear. >> >> Is the issue relating to JS people using the implicit flow and the JS loaded from the client somehow being vulnerable? >> >> Or is this happening in the JS after authorization in calls to other resources from the same origin, and it is just coincidence that people are using OAuth. > > is more the second one :) Extrapolating from the white paper [0] > > "The most common technique tasked with ful lling > the above described need is OAuth. In order to gain access to third-party resources > using OAuth, the service shall utilize a third-party endpoint (OAuth dialog) that will > ask for the resource owner's approval. The problem with this process is that redirecting > the service to an OAuth dialog means losing the content of the currently open service > document. For overcoming this problem, developers open a pop-up window to display > the dialog in a singular browsing context. Once the user permits or denies access to > the service, the OAuth dialog pop-up will be redirected to render a callback endpoint > hosted on the service domain. This document should eventually notify the service that > the process has been completed. > For the new pop-up window to notify the service window upon approval, denial or for > it to transfer access tokens or similar data, developers may implement callback endpoints > that use a script referencing the "opener" window for executing a callback method of the > service. When developers also opted for providing the service with the decision on how > to "call it back" through a callback parameter, the entire domain becomes vulnerable to > SOME." > > regards > > antonio > > [0] http://files.benhayak.com/Same_Origin_Method_Execution__paper.pdf <http://files.benhayak.com/Same_Origin_Method_Execution__paper.pdf> > >> >> Understanding if there is any Oauth specific advice to give would be helpful. I see there are ways to prevent the SOME exploit. >> >> Regards >> John B. >> >> >>> On Jun 24, 2015, at 4:18 PM, Antonio Sanso <asanso@adobe.com <mailto:asanso@adobe.com>> wrote: >>> >>> hi *, just sharing. >>> >>> Not directly related to OAuth per se but it exploits several OAuth client endpoints due to some common developers pattern http://www.benhayak.com/2015/06/same-origin-method-execution-some.html <http://www.benhayak.com/2015/06/same-origin-method-execution-some.html> (concrete example in http://www.benhayak.com/2015/05/stealing-private-photo-albums-from-Google.html <http://www.benhayak.com/2015/05/stealing-private-photo-albums-from-Google.html>) >>> >>> regards >>> >>> antonio >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org <mailto:OAuth@ietf.org> >>> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth> >> > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org <mailto:OAuth@ietf.org> > https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth> > > > > > -- > Nat Sakimura (=nat) > Chairman, OpenID Foundation > http://nat.sakimura.org/ <http://nat.sakimura.org/> > @_nat_en > > > > -- > Nat Sakimura (=nat) > Chairman, OpenID Foundation > http://nat.sakimura.org/ <http://nat.sakimura.org/> > @_nat_en > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Same Origin Method Execution (SOME) Antonio Sanso
- Re: [OAUTH-WG] Same Origin Method Execution (SOME) John Bradley
- Re: [OAUTH-WG] Same Origin Method Execution (SOME) Antonio Sanso
- Re: [OAUTH-WG] Same Origin Method Execution (SOME) Nat Sakimura
- Re: [OAUTH-WG] Same Origin Method Execution (SOME) Nat Sakimura
- Re: [OAUTH-WG] Same Origin Method Execution (SOME) Justin Richer
- Re: [OAUTH-WG] Same Origin Method Execution (SOME) Phil Hunt
- Re: [OAUTH-WG] Same Origin Method Execution (SOME) Kim, William G