Re: [OAUTH-WG] Auth Code Swap Attack

John Kemp <> Sun, 14 August 2011 13:05 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 91FB221F8922 for <>; Sun, 14 Aug 2011 06:05:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.161
X-Spam-Status: No, score=-0.161 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, IP_NOT_FRIENDLY=0.334, RDNS_NONE=0.1]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 7VjphMogZAf7 for <>; Sun, 14 Aug 2011 06:05:39 -0700 (PDT)
Received: from ( [IPv6:2605:dc00:100:2::a5]) by (Postfix) with SMTP id B49B421F8593 for <>; Sun, 14 Aug 2011 06:05:39 -0700 (PDT)
Received: (qmail 22215 invoked by uid 0); 14 Aug 2011 13:06:21 -0000
Received: from unknown (HELO ( by with SMTP; 14 Aug 2011 13:06:21 -0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;; s=default; h=To:References:Message-Id:Content-Transfer-Encoding:Cc:Date:In-Reply-To:From:Content-Type:Mime-Version:Subject; bh=V5tp7cDasN8W5wDHt0s4APp0nHtstmX4DdVctdqmuAo=; b=CfnUH6dWxAwtLPOMVkb5KOmH16ey+gANGT0U4rfvEtqub9Oj4EGLku1dO6L6LVOprr6C9MVHW1HuG+EkKxXF8m1A0NsJ1aELGu/WIaEo2nVO2ldhP7yXhe2M718zKKsE;
Received: from ([] helo=[]) by with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.76) (envelope-from <>) id 1QsaOS-0002Wc-Md; Sun, 14 Aug 2011 07:06:21 -0600
Mime-Version: 1.0 (Apple Message framework v1244.3)
Content-Type: text/plain; charset="windows-1252"
From: John Kemp <>
In-Reply-To: <>
Date: Sun, 14 Aug 2011 09:06:17 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <>
To: Anthony Nadalin <>
X-Mailer: Apple Mail (2.1244.3)
X-Identified-User: {} {sentby:smtp auth authed with}
Cc: "OAuth WG (" <>
Subject: Re: [OAUTH-WG] Auth Code Swap Attack
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 14 Aug 2011 13:05:40 -0000

Hi Tony (et al),

On Aug 12, 2011, at 3:06 PM, Anthony Nadalin wrote:


> 2.            Gene opens the spam mail and clicks on the link.
> 3.            The server running Basil's website initiates an authorization request to Live. The request uses Plaxo's redirection URI.

And why does Live believe that this is a valid authorization request? Has Basil forged a request to Live as if it came from Plaxo (Basil has at least the client_id for Plaxo's client)? Shouldn't Live protect its authorization endpoint by requiring some authentication of the requester?

> The code running on Basil's server uses Basil's Live credentials to login to Live and to grant the authorization request. Live responds with a redirect containing an authorization code. Basil's server swallows the redirect and creates a web page containing the authorization code and sends the web page down to Gene's browser. [Note: Normally the actions in step 3 would be performed by a human at a browser but in the attack Basil has automated the process so his attack server can do everything automatically.]
> 4.            The web page, from 'Silly Fun Times', running on Gene's browser now completes the redirect sending Gene, using the authorization code that Live issues in response to Basil's request, to Plaxo.
> 5.            Gene is already logged into Plaxo so he isn't even asked anything before Plaxo accepts the redirect with the authorization code.
> 6.            Plaxo's server then uses the authorization code to get an access token and refresh token.
> 7.            Plaxo uses the access token to synchronize the address book on Basil's Live account with Gene's Plaxo server.

Although Plaxo never had a request initiated from anyone (Gene, or Basil) to sync Gene's contacts with Live? And shouldn't Plaxo ask Gene for explicit authorization before syncing his contacts to Live, regardless of whether he is already authenticated? 


- John

> The outcome of step 7 is two separate attacks. One attack is that Plaxo will now push all of Gene's address book information into Basil's Live account. So Basil has now successfully stolen all of Gene's address book data. The other attack is that if Plaxo is doing bi-directional synch then Basil could put false contacts (perhaps with bad URLs to launch various types of attacks) and related information into Gene's central address book at Plaxo.
> Variations:
> 1a. Basil could buy ads on search services like Bing and Google and use those as a way to lure people to the 'Silly Fun Times' website.
> 5a. Gene might not be logged into Plaxo but if 'Silly Fun Times' sets things up right it could fool Gene into thinking he is supposed to see Plaxo and so will handle the login.
> There is an obvious variation of this attack for auth tokens rather than auth codes.
> Pretty picture
> The numbers in the picture are keyed to the steps in the use case above.
> <image001.png>
> Recommended Changes to draft-ietf-oauth-v2
> In section 4, request options (e.g. 4.1.1) featuring "state" should change from:
> state
> OPTIONAL. An opaque value used by the client to maintain state between the request and callback. The authorization server includes this value when redirecting the user-agent back to the client.
> to:
> state
> REQUIRED. An opaque value used by the client to maintain state between the request and callback. The authorization server includes this value when redirecting the user-agent back to the client. The encoded value SHOULD enable the client application to determine the user-context that was active at the time of the  request (see section 10.12). The value MUST NOT be guessable or predictable, and MUST be kept confidential.
> Section 10.12 Cross-Site Request Forgery
> Change to:
> Cross-site request forgery (CSRF) is a web-based attack whereby HTTP requests are transmitted from the user-agent of an end-user the server trusts or has authenticated. CSRF attacks enable the attacker to intermix the attacker's security context with that of the resource owner resulting in a compromise of either the resource server or of the client application itself. In the OAuth context, such attacks allow an attacker to inject their own authorization code or access token into a client, which can result in the client using an access token associated with the attacker's account rather than the victim's. Depending on the nature of the client and the protected resources, this can have undesirable and damaging effects.
> In order to prevent such attacks, the client application MUST encode a non-guessable, confidential end-user artifact and submit as the "state" parameter to authorization and access token requests to the authorization server. The client MUST keep the state value in a location accessible only by the client or the user-agent (i.e., protected by same-origin policy), for example, using a DOM variable, HTTP cookie, or HTML5 client-side storage.
> The authorization server includes the value of the "state" parameter when redirecting the user-agent back to the client. Upon receiving a redirect, the client application MUST confirm that returned value of "state" corresponds to the state value of the user-agent's user session. If the end-user session represents an authenticated user-identity, the client MUST ensure that the user-identity has NOT changed.
> Yaron, Torsten, Phil and Tony
> _______________________________________________
> OAuth mailing list