Re: [OAUTH-WG] Recap of two well known OAuth related attacks
John Bradley <ve7jtb@ve7jtb.com> Fri, 17 May 2013 19:43 UTC
Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C61A221F922A for <oauth@ietfa.amsl.com>; Fri, 17 May 2013 12:43:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.258
X-Spam-Level:
X-Spam-Status: No, score=-1.258 tagged_above=-999 required=5 tests=[AWL=-1.114, BAYES_00=-2.599, FRT_ADOBE2=2.455]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pMwvhETlCwwC for <oauth@ietfa.amsl.com>; Fri, 17 May 2013 12:43:53 -0700 (PDT)
Received: from mail-ea0-x229.google.com (mail-ea0-x229.google.com [IPv6:2a00:1450:4013:c01::229]) by ietfa.amsl.com (Postfix) with ESMTP id 7018B21F968D for <oauth@ietf.org>; Fri, 17 May 2013 12:43:52 -0700 (PDT)
Received: by mail-ea0-f169.google.com with SMTP id m14so2798455eaj.0 for <oauth@ietf.org>; Fri, 17 May 2013 12:43:51 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:content-type:mime-version:subject:from:in-reply-to:date :cc:message-id:references:to:x-mailer:x-gm-message-state; bh=9hXN1dNqHIlxpc6z9yM34v7CLWE5Wi8WwXeUYCkipzM=; b=WwaLSOC6vCSMp1pEzjCmoRVIJ3KKGBnH1lx5huDNzzrZ0+ubx2pEYe0KWfSLPWsuIb 1JLKnlkjQhQN0uc1L7TBYlFTQzSMOrM+T+//b+WAuBsm38CUi25gHNOwn08EwfrJiv/i eHlvlyRFVuYKt67q8+KpN3H7iTHt+PPtYMSRhx93N1eenfeo48juXFKSChwCyaLQMhTd yPSuzcImh+Dfme4Fgu9AU+z+JZ0CEv797yVRc5y9pQ800TfxFmIXDmSw5+8kVfSwcl57 QGKr86L+Ea+4wS5pnswAVHihP1FXd38QMP57OvSj+8GsrgI4Cmga32RjWeo+9vjInNqY w1xA==
X-Received: by 10.15.49.199 with SMTP id j47mr88952767eew.24.1368819831395; Fri, 17 May 2013 12:43:51 -0700 (PDT)
Received: from [10.121.233.103] ([195.50.165.102]) by mx.google.com with ESMTPSA id n7sm21105375eeo.0.2013.05.17.12.43.42 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 17 May 2013 12:43:49 -0700 (PDT)
Content-Type: multipart/signed; boundary="Apple-Mail=_3DC5F8FD-0693-4699-9B1C-B0015619E00A"; protocol="application/pkcs7-signature"; micalg="sha1"
Mime-Version: 1.0 (Mac OS X Mail 6.3 \(1503\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <4B7A9E06-D5F6-4F81-AAD4-1C8F33B5E564@adobe.com>
Date: Fri, 17 May 2013 21:43:46 +0200
Message-Id: <5FB00E1D-7F00-4033-A475-922C67A3F0F8@ve7jtb.com>
References: <DC65FEE5-9CA0-45CF-B44B-912F0474C4DB@adobe.com> <2AF08A9B-0E0A-42E1-9575-E582065D66D8@mitre.org> <59E470B10C4630419ED717AC79FCF9A96599A278@BY2PRD0411MB441.namprd04.prod.outlook.com> <B21D32C7-A3D5-4CD9-8FF5-DC6566D7E246@ve7jtb.com> <4B7A9E06-D5F6-4F81-AAD4-1C8F33B5E564@adobe.com>
To: Antonio Sanso <asanso@adobe.com>
X-Mailer: Apple Mail (2.1503)
X-Gm-Message-State: ALoCoQnLaH07vFvGvCrQfRZg4reXpdLpnJI9zQSQ4NTFk2xcxqIoONC63huSA46puYWptYU6z//t
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Recap of two well known OAuth related attacks
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 May 2013 19:43:53 -0000
Yes redirect URI matching is a problem. In Connect we mandate an exact match because people are really bad at securing open relays. Trying to pattern match the redirect also allows an attacker to circumvent the fragment processing of the browser and generally increase the possible attack surface. There is the state parameter that can be used to maintain a relay state at the client, there is no real need for anything other than an exact match. Anything other than an exact match on the registered redirect will lead to sadness due to the client inevitably being unclear on the pattern matching rules. John B. On 2013-05-17, at 9:06 PM, Antonio Sanso <asanso@adobe.com> wrote: > Hi *, > > > I was wondering what you thing about the second "issue" described (the "Lassie come home"). > > I have encountered lately in one enterprise installation and I think is fairly easy to make it wrong as well. > > Regards > > Antonio > > On May 17, 2013, at 5:46 PM, John Bradley wrote: > >> The implicit flow is secure in Connect, but we added a number of things to make it so. >> >> The reason to have it in OAuth 2 is for clients in the browser there are use cases for that and it allows the browser to receive and extract the token without passing it to a web server backend. >> Used as intended it is fine as the browser based JS App is receiving the the token directly over TLS so there is no substitution attack possible. >> >> The problem is when the client is not in the browser the browser itself is an attack surface, that an attacker can use to confuse a client. >> >> If people want to do SSO based on OAuth they need to follow the example of Google, PayPal and others who are implementing Connect rather than rolling there own protocol on top of OAuth 2. >> >> John B. >> >> >> On 2013-05-17, at 5:22 PM, Lewis Adam-CAL022 <Adam.Lewis@motorolasolutions.com> wrote: >> >>> One wonders that - if in hindsight - the implicit flow was a mistake to include in the framework. Yes it saves a single round trip for use cases where the tokens are exposed to the UA, but it's not clear that optimization is worth the security headaches that are going to be caused down the road (or are already going on for that matter) by people using it in scenarios where it should not be (because as stated, it is easier). Probably would have been better to let the subset of cases that didn't need the extra step of the code just go ahead and implement it anyway, and ensure that the majority of native apps use cases would have been implemented with better security. >>> >>> adam >>> >>> -----Original Message----- >>> From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of Richer, Justin P. >>> Sent: Wednesday, May 15, 2013 3:22 PM >>> To: Antonio Sanso >>> Cc: "WG <oauth@ietf.org>"@il06exr01.mot.com >>> Subject: Re: [OAUTH-WG] Recap of two well known OAuth related attacks >>> >>> The biggest problem with this attack is the passing of the access token to a backend server (and its subsequent passing of that token to someone else) and the assumption that the presentation of the access token means that the user is authenticated and present. It simply doesn't mean that, and this is a bad assumption that unfortunately many people make thanks to providers like Facebook using OAuth (or, mostly-OAuth since they're not actually RFC compliant) in the authentication protocol. >>> >>> It's also a problem that so many people are using the implicit flow "because it's easy", missing the point of why it's there in the first place. The implicit flow is really only intended for cases where you can't hide secrets from the user agent, cases like an in-browser application. The flow diagrams that you have don't fit the implicit flow very well at all, since the access token is getting passed back to some other service. >>> >>> -- Justin >>> >>> On May 13, 2013, at 11:14 AM, Antonio Sanso <asanso@adobe.com> >>> wrote: >>> >>>> Hi *, >>>> >>>> I wrote a blog post showing two well known OAuth related attacks. I paste here the link for your consideration: >>>> >>>> http://intothesymmetry.blogspot.ch/2013/05/oauth-2-attacks-introducing-devil-wears.html >>>> >>>> Any comment is more than appreciated. >>>> >>>> Regards >>>> >>>> Antonio >>>> _______________________________________________ >>>> OAuth mailing list >>>> OAuth@ietf.org >>>> https://www.ietf.org/mailman/listinfo/oauth >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >>> >>> >>> >>> >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >> >
- [OAUTH-WG] Recap of two well known OAuth related … Antonio Sanso
- Re: [OAUTH-WG] Recap of two well known OAuth rela… Richer, Justin P.
- Re: [OAUTH-WG] Recap of two well known OAuth rela… Lewis Adam-CAL022
- Re: [OAUTH-WG] Recap of two well known OAuth rela… John Bradley
- Re: [OAUTH-WG] Recap of two well known OAuth rela… Antonio Sanso
- Re: [OAUTH-WG] Recap of two well known OAuth rela… John Bradley