Re: [OAUTH-WG] XARA vulnerability Paper and PKCE

Bill Mills <wmills_92105@yahoo.com> Thu, 18 June 2015 14:47 UTC

Return-Path: <wmills_92105@yahoo.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6286F1B31F9 for <oauth@ietfa.amsl.com>; Thu, 18 Jun 2015 07:47:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.39
X-Spam-Level:
X-Spam-Status: No, score=0.39 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, FREEMAIL_REPLYTO_END_DIGIT=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id axAQbbPgCH7i for <oauth@ietfa.amsl.com>; Thu, 18 Jun 2015 07:47:29 -0700 (PDT)
Received: from nm14-vm0.bullet.mail.bf1.yahoo.com (nm14-vm0.bullet.mail.bf1.yahoo.com [98.139.213.164]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ED9E81ACD94 for <oauth@ietf.org>; Thu, 18 Jun 2015 07:47:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1434638848; bh=UmhbahiCnwGR5QmCLHxfHuDNJLsq/8eiRr5S4zPDDLY=; h=Date:From:Reply-To:To:In-Reply-To:References:Subject:From:Subject; b=mXB+jI7gw10Xt2Z+Jn+i0XAT0vzKj9063+/1wHi5GHfN+ZI1l9TRcs30zqF790p2CN1eUa+7JRP9MUTAnyB8aeKglkwymmfvaM7ISHer3lgjcfyFjZ7osmhvunIHOAnsde8vrDZdQdb3JaW/sw6DCJ8SjHifNd5g2BdEAR2JMbeZc6EuJ83zY2FdUEGk0mYSXNcYf19VFhVeBG+EqcFYWyO+RbNYu0kM9L+fsIl2WHZHsAJRcF+0KRhHRwwoEOkS+o9ySPhXL8bk7ft4Gas8Y1WZaFenKRYq+up6jRJ/vaci3nC3myL6dXzKHxk/gYZ4/9MNap70pY4fDyP7UA+YkQ==
Received: from [98.139.214.32] by nm14.bullet.mail.bf1.yahoo.com with NNFMP; 18 Jun 2015 14:47:28 -0000
Received: from [98.139.215.229] by tm15.bullet.mail.bf1.yahoo.com with NNFMP; 18 Jun 2015 14:47:28 -0000
Received: from [127.0.0.1] by omp1069.mail.bf1.yahoo.com with NNFMP; 18 Jun 2015 14:47:27 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 987553.3308.bm@omp1069.mail.bf1.yahoo.com
X-YMail-OSG: DKp04L0VM1nWsskm4ztCCPgW3Jl.cNWlgMV9fgpiK9BIIb1A2yzKkvVfI176Oo9 V.0Viw4JtP48Y2qjAqnZUIbrPhtn.J8KFQxPvw2qhO.PpKZwhgIMlB8OWN4z_a0B9HPjn0R5WDM8 oMJxx7NVWfBr0FkdMeonmhCCzi0rNvIuB6a76D_02kKnTbS9Wj9dtQjy2.PMBdQCz1rMyZEZRLWi Cz6amc_PKDlt_8oy2kmILCHCTcxf3BZrtj2hLpqm7xvvuRCvfgC262SVA2gukeysucFOsQ0YMhI6 ABvzRNPJK98v8JAcVdUelfZFtsNcV7tRmtZz_GrCCSaRXNQZ0F2fbF0Z4Ggtig_Ug5pFZ68BdN1s kEUkD6wkPAGkthWDg312IpX843afEaA4Zrpg8oPEEcbl1CpRi8nQg6R9HgFYjT9CcDcBDwUVxRL3 Ntta9WJbyNquR5NgywXXtlcpf.2T.tSril5oY7YxB8jjJ.jgOWm2ItmAKU.pruQRm4JLRYImGlT2 oNDDwXcyw8.jtwT3UcfS_w55rNNuaYLpcFwK3W734sK5ehmuoGofni5w-
Received: by 76.13.26.127; Thu, 18 Jun 2015 14:47:27 +0000
Date: Thu, 18 Jun 2015 14:47:26 +0000 (UTC)
From: Bill Mills <wmills_92105@yahoo.com>
To: Nat Sakimura <sakimura@gmail.com>, oauth <oauth@ietf.org>
Message-ID: <95102368.1461467.1434638847014.JavaMail.yahoo@mail.yahoo.com>
In-Reply-To: <CABzCy2Dj3O6vqozkhj=cFQ4QUisNQjAa9zQbEccwOrvsXZjRdQ@mail.gmail.com>
References: <CABzCy2Dj3O6vqozkhj=cFQ4QUisNQjAa9zQbEccwOrvsXZjRdQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_Part_1461466_303479955.1434638847010"
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/Vd6AbOFp171L0ETkrK1TC7yy3tw>
Subject: Re: [OAUTH-WG] XARA vulnerability Paper and PKCE
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: Bill Mills <wmills_92105@yahoo.com>
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Jun 2015 14:47:30 -0000

PKCE solves a subset of this, but not the general case.  It doesn't solve the FB example in the paper where the FB token is passed between apps locally.
It is a clear win for the OAuth code flow for example though. 


     On Thursday, June 18, 2015 7:31 AM, Nat Sakimura <sakimura@gmail.com> wrote:
   

 Hi OAuthers: 
XARA (Cross App Resource Access) paper was gaining interest here in Japan today because of the Register article[1]. I went over the attack description in the full paper [2]. 
The paper presents four kinds of vulnerabilities.   
   - Password Stealing (Keychain)   

   - Container Cracking (BundleID check bug on the part of Apple App Store)   

   - IPC Interception (a. WebSocket non-authentication, and b. local oauth redirect)    

   - Scheme Hijacking
Of those, 3.b and 4 are relevant to us, and we kind of knew them all the way through. 
These are the target attack that PKCE specifically wants to address, and does address, I believe. 

[1] http://www.theregister.co.uk/2015/06/17/apple_hosed_boffins_drop_0day_mac_ios_research_blitzkrieg/[2] https://sites.google.com/site/xaraflaws/



-- 
Nat Sakimura (=nat)Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth