Re: [OAUTH-WG] XARA vulnerability Paper and PKCE
Bill Mills <wmills_92105@yahoo.com> Thu, 18 June 2015 14:47 UTC
Return-Path: <wmills_92105@yahoo.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1])
by ietfa.amsl.com (Postfix) with ESMTP id 6286F1B31F9
for <oauth@ietfa.amsl.com>; Thu, 18 Jun 2015 07:47:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.39
X-Spam-Level:
X-Spam-Status: No, score=0.39 tagged_above=-999 required=5
tests=[BAYES_40=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25,
FREEMAIL_FROM=0.001, FREEMAIL_REPLYTO_END_DIGIT=0.25,
HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001,
T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44])
by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id axAQbbPgCH7i for <oauth@ietfa.amsl.com>;
Thu, 18 Jun 2015 07:47:29 -0700 (PDT)
Received: from nm14-vm0.bullet.mail.bf1.yahoo.com
(nm14-vm0.bullet.mail.bf1.yahoo.com [98.139.213.164])
(using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits))
(No client certificate requested)
by ietfa.amsl.com (Postfix) with ESMTPS id ED9E81ACD94
for <oauth@ietf.org>; Thu, 18 Jun 2015 07:47:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
t=1434638848; bh=UmhbahiCnwGR5QmCLHxfHuDNJLsq/8eiRr5S4zPDDLY=;
h=Date:From:Reply-To:To:In-Reply-To:References:Subject:From:Subject;
b=mXB+jI7gw10Xt2Z+Jn+i0XAT0vzKj9063+/1wHi5GHfN+ZI1l9TRcs30zqF790p2CN1eUa+7JRP9MUTAnyB8aeKglkwymmfvaM7ISHer3lgjcfyFjZ7osmhvunIHOAnsde8vrDZdQdb3JaW/sw6DCJ8SjHifNd5g2BdEAR2JMbeZc6EuJ83zY2FdUEGk0mYSXNcYf19VFhVeBG+EqcFYWyO+RbNYu0kM9L+fsIl2WHZHsAJRcF+0KRhHRwwoEOkS+o9ySPhXL8bk7ft4Gas8Y1WZaFenKRYq+up6jRJ/vaci3nC3myL6dXzKHxk/gYZ4/9MNap70pY4fDyP7UA+YkQ==
Received: from [98.139.214.32] by nm14.bullet.mail.bf1.yahoo.com with NNFMP;
18 Jun 2015 14:47:28 -0000
Received: from [98.139.215.229] by tm15.bullet.mail.bf1.yahoo.com with NNFMP;
18 Jun 2015 14:47:28 -0000
Received: from [127.0.0.1] by omp1069.mail.bf1.yahoo.com with NNFMP;
18 Jun 2015 14:47:27 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 987553.3308.bm@omp1069.mail.bf1.yahoo.com
X-YMail-OSG: DKp04L0VM1nWsskm4ztCCPgW3Jl.cNWlgMV9fgpiK9BIIb1A2yzKkvVfI176Oo9
V.0Viw4JtP48Y2qjAqnZUIbrPhtn.J8KFQxPvw2qhO.PpKZwhgIMlB8OWN4z_a0B9HPjn0R5WDM8
oMJxx7NVWfBr0FkdMeonmhCCzi0rNvIuB6a76D_02kKnTbS9Wj9dtQjy2.PMBdQCz1rMyZEZRLWi
Cz6amc_PKDlt_8oy2kmILCHCTcxf3BZrtj2hLpqm7xvvuRCvfgC262SVA2gukeysucFOsQ0YMhI6
ABvzRNPJK98v8JAcVdUelfZFtsNcV7tRmtZz_GrCCSaRXNQZ0F2fbF0Z4Ggtig_Ug5pFZ68BdN1s
kEUkD6wkPAGkthWDg312IpX843afEaA4Zrpg8oPEEcbl1CpRi8nQg6R9HgFYjT9CcDcBDwUVxRL3
Ntta9WJbyNquR5NgywXXtlcpf.2T.tSril5oY7YxB8jjJ.jgOWm2ItmAKU.pruQRm4JLRYImGlT2
oNDDwXcyw8.jtwT3UcfS_w55rNNuaYLpcFwK3W734sK5ehmuoGofni5w-
Received: by 76.13.26.127; Thu, 18 Jun 2015 14:47:27 +0000
Date: Thu, 18 Jun 2015 14:47:26 +0000 (UTC)
From: Bill Mills <wmills_92105@yahoo.com>
To: Nat Sakimura <sakimura@gmail.com>, oauth <oauth@ietf.org>
Message-ID: <95102368.1461467.1434638847014.JavaMail.yahoo@mail.yahoo.com>
In-Reply-To: <CABzCy2Dj3O6vqozkhj=cFQ4QUisNQjAa9zQbEccwOrvsXZjRdQ@mail.gmail.com>
References: <CABzCy2Dj3O6vqozkhj=cFQ4QUisNQjAa9zQbEccwOrvsXZjRdQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_Part_1461466_303479955.1434638847010"
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/Vd6AbOFp171L0ETkrK1TC7yy3tw>
Subject: Re: [OAUTH-WG] XARA vulnerability Paper and PKCE
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: Bill Mills <wmills_92105@yahoo.com>
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>,
<mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>,
<mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Jun 2015 14:47:30 -0000
PKCE solves a subset of this, but not the general case. It doesn't solve the FB example in the paper where the FB token is passed between apps locally.
It is a clear win for the OAuth code flow for example though.
On Thursday, June 18, 2015 7:31 AM, Nat Sakimura <sakimura@gmail.com> wrote:
Hi OAuthers:
XARA (Cross App Resource Access) paper was gaining interest here in Japan today because of the Register article[1]. I went over the attack description in the full paper [2].
The paper presents four kinds of vulnerabilities.
- Password Stealing (Keychain)
- Container Cracking (BundleID check bug on the part of Apple App Store)
- IPC Interception (a. WebSocket non-authentication, and b. local oauth redirect)
- Scheme Hijacking
Of those, 3.b and 4 are relevant to us, and we kind of knew them all the way through.
These are the target attack that PKCE specifically wants to address, and does address, I believe.
[1] http://www.theregister.co.uk/2015/06/17/apple_hosed_boffins_drop_0day_mac_ios_research_blitzkrieg/[2] https://sites.google.com/site/xaraflaws/
--
Nat Sakimura (=nat)Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] XARA vulnerability Paper and PKCE Nat Sakimura
- Re: [OAUTH-WG] XARA vulnerability Paper and PKCE Bill Mills
- Re: [OAUTH-WG] XARA vulnerability Paper and PKCE Nat Sakimura
- Re: [OAUTH-WG] XARA vulnerability Paper and PKCE John Bradley
- Re: [OAUTH-WG] XARA vulnerability Paper and PKCE Bill Mills