Re: [OAUTH-WG] Phishing with Client Application Name Spoofing

André DeMarre <> Fri, 04 November 2011 00:09 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 382311F0C85 for <>; Thu, 3 Nov 2011 17:09:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.999
X-Spam-Status: No, score=-2.999 tagged_above=-999 required=5 tests=[AWL=-0.300, BAYES_00=-2.599, J_CHICKENPOX_75=0.6, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-1]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id RmtOQSAZX97x for <>; Thu, 3 Nov 2011 17:09:42 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 7078A1F0C59 for <>; Thu, 3 Nov 2011 17:09:40 -0700 (PDT)
Received: by iaeo4 with SMTP id o4so2459487iae.31 for <>; Thu, 03 Nov 2011 17:09:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=pYgcX4T5Sif+5R4nvVwfK+6yoCeD/AIcaaOGpAAhoOY=; b=DyuO+X5Ok2FUBGF4e0vvN8D8jD7tyj46DFFuih8vnvxqBmPfZarY4bj809hQ5PQ/w6 A+0r5IJcm+pVwPQ2LBQIubWSraMOzl83ErH/OPMy3HzfNlKGmtn9gGsrC5YMkK3bBJzo anOG4Uqbvd8Kflqi99eOlMz5JOEREY4pvPmpY=
MIME-Version: 1.0
Received: by with SMTP id u1mr11988819icq.24.1320365379936; Thu, 03 Nov 2011 17:09:39 -0700 (PDT)
Received: by with HTTP; Thu, 3 Nov 2011 17:09:39 -0700 (PDT)
In-Reply-To: <>
References: <> <> <>
Date: Thu, 03 Nov 2011 17:09:39 -0700
Message-ID: <>
From: André DeMarre <>
To: Torsten Lodderstedt <>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: OAuth WG <>
Subject: Re: [OAUTH-WG] Phishing with Client Application Name Spoofing
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 04 Nov 2011 00:09:43 -0000

You are right that they are similar, but there is a difference, and
only one of the six countermeasures is relevant to the threat I
seems to be about an attack where the malicious client impersonates a
different (valid) client that is registered with the authorization
server. In other words, the valid client is registered as client_id
123, and the malicious client does not have its own client_id but
tries to pose as client 123. This corresponds to

In the threat I described, there is no valid client. The malicious
client is properly registered with the authorization server and has
its own client_id and client credentials. It can authenticate with the
authorization server without trying to pose as a different client.

As an attacker you might reason, "Why would I try to impersonate a
valid client for which I don't know the client credentials and can't
pass the redirect URI test, when I can just register my own client
with my own redirect URI and be given my own credentials?"

Imagine the attacker wants to impersonate Google with a popular web
service called Foobar. The attacker registers his application with
Foobar's auth server. It does not matter if the real Google has
registered an authentic app with Foobar. The attacker has no reason to
be interested in stealing or guessing client credentials when he can
simply register his own app and call it "Google".

The information the auth server shows to end users when asking them to
grant authorization becomes very important.
Regards,Andre DeMarre
On Wed, Nov 2, 2011 at 2:27 PM, Torsten Lodderstedt
<> wrote:
> Hi Andre,
> how do you think differs the threat you descibed from
> regards,
> Torsten.
> Am 26.10.2011 22:44, schrieb André DeMarre:
>> Should a brief explanation of this be added to the Threat Model and
>> Security Considerations document? Or does anyone even agree that this
>> can be a problem?
>> Regards,
>> Andre DeMarre
>> On Tue, Oct 4, 2011 at 11:32 AM, André DeMarre<>
>>  wrote:
>>> I've not seen this particular variant of phishing and client
>>> impersonation discussed. A cursory search revealed that most of the
>>> related discussion centers around either (a) client impersonation with
>>> stolen client credentials or (b) phishing by malicious clients
>>> directing resource owners to spoofed authorization servers. This is
>>> different.
>>> This attack exploits the trust a resource owner has for an OAuth
>>> authorization server so as to lend repute to a malicious client
>>> pretending to be from a trustworthy source. This is not necessarily a
>>> direct vulnerability of OAuth; rather, it shows that authorization
>>> servers have a responsibility regarding client application names and
>>> how they present resource owners with the option to allow or deny
>>> authorization.
>>> A key to this exploit is the process of client registration with the
>>> authorization server. A malicious client developer registers his
>>> client application with a name that appears to represent a legitimate
>>> organization which resource owners are likely to trust. Resource
>>> owners at the authorization endpoint may be misled into granting
>>> authorization when they see the authorization server asserting "<some
>>> trustworthy name>  is requesting permission to..."
>>> Imagine someone registers a client application with an OAuth service,
>>> let's call it Foobar, and he names his client app "Google, Inc.". The
>>> Foobar authorization server will engage the user with "Google, Inc. is
>>> requesting permission to do the following." The resource owner might
>>> reason, "I see that I'm legitimately on the
>>> site, and Foobar is telling me that Google wants permission. I trust
>>> Foobar and Google, so I'll click Allow."
>>> To make the masquerade act even more convincing, many of the most
>>> popular OAuth services allow app developers to upload images which
>>> could be official logos of the organizations they are posing as. Often
>>> app developers can supply arbitrary, unconfirmed URIs which are shown
>>> to the resource owner as the app's website, even if the domain does
>>> not match the redirect URI. Some OAuth services blindly entrust client
>>> apps to customize the authorization page in other ways.
>>> This is hard to defend against. Authorization server administrators
>>> could police client names, but that approach gives them a burden
>>> similar to certificate authorities to verify organizations before
>>> issuing certificates. Very expensive.
>>> A much simpler solution is for authorization servers to be careful
>>> with their wording and educate resource owners about the need for
>>> discretion when granting authority. Foobar's message above could be
>>> changed: "An application calling itself Google, Inc. is requesting
>>> permission to do the following" later adding, "Only allow this request
>>> if you are sure of the application's source." Such wording is less
>>> likely to give the impression that the resource server is vouching for
>>> the application's identity.
>>> Authorization servers would also do well to show the resource owner
>>> additional information about the client application to help them make
>>> informed decisions. For example, it could display all or part of the
>>> app's redirect URI, saying, "The application is operating on
>>>" or "If you decide to allow this application, your browser
>>> will be directed to" Further, if the client
>>> app's redirect URI uses TLS (something authorization servers might
>>> choose to mandate), then auth servers can verify the certificate and
>>> show the certified organization name to resource owners.
>>> This attack is possible with OAuth 1, but OAuth 2 makes successful
>>> exploitation easier. OAuth 1 required the client to obtain temporary
>>> credentials (aka access tokens) before sending resource owners to the
>>> authorization endpoint. Now with OAuth 2, this attack does not require
>>> resource owners to interact with the client application before
>>> visiting the authorization server. The malicious client developer only
>>> needs to distribute links around the web to the authorization server's
>>> authorization endpoint. If the HTTP service is a social platform, the
>>> client app might distribute links using resource owners' accounts with
>>> the access tokens it has acquired, becoming a sort of worm. Continuing
>>> the Google/Foobar example above, it might use anchor text such as "I
>>> used Google Plus to synchronize with my Foobar account." Moreover, if
>>> the app's redirect URI bounces the resource owner back to the HTTP
>>> service after acquiring an authorization code, the victim will never
>>> see a page rendered at the insidious app's domain.
>>> This is especially dangerous because the public is not trained to
>>> defend against it. Savvy users are (arguably) getting better at
>>> protecting themselves from traditional phishing by verifying the
>>> domain in the address bar, and perhaps checking TLS certificates, but
>>> such defenses are irrelevent here. Resource owners now need to verify
>>> not only that they are on the legitimate authorization server, but to
>>> consider the trustworthyness of the link that referred them there.
>>> I'm not sure what can or should be done, but I think it's important
>>> for authorization server implementers to be aware of this attack. If
>>> administrators are not able to authenticate client organizations, then
>>> they are shifting this burden to resource owners. They should do all
>>> they can to educate resource owners and help them make informed
>>> decisions before granting authorization.
>>> Regards,
>>> Andre DeMarre
>> _______________________________________________
>> OAuth mailing list