IETF Logo Mail Archive

Re: [OAUTH-WG] Report an authentication issue

Justin Richer <jricher@mitre.org> Fri, 29 June 2012 17:24 UTC

Return-Path: <jricher@mitre.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0011821F860E for <oauth@ietfa.amsl.com>; Fri, 29 Jun 2012 10:24:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.524
X-Spam-Level:
X-Spam-Status: No, score=-6.524 tagged_above=-999 required=5 tests=[AWL=0.075, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qhkCP5-x80Tc for <oauth@ietfa.amsl.com>; Fri, 29 Jun 2012 10:24:30 -0700 (PDT)
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id 40F4221F864B for <oauth@ietf.org>; Fri, 29 Jun 2012 10:24:30 -0700 (PDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 60BFA21B13BC; Fri, 29 Jun 2012 13:24:29 -0400 (EDT)
Received: from IMCCAS03.MITRE.ORG (imccas03.mitre.org [129.83.29.80]) by smtpksrv1.mitre.org (Postfix) with ESMTP id 4F3A121B08F0; Fri, 29 Jun 2012 13:24:29 -0400 (EDT)
Received: from [129.83.50.26] (129.83.31.51) by IMCCAS03.MITRE.ORG (129.83.29.80) with Microsoft SMTP Server (TLS) id 14.2.283.3; Fri, 29 Jun 2012 13:24:28 -0400
Message-ID: <4FEDE4AF.9030107@mitre.org>
Date: Fri, 29 Jun 2012 13:23:59 -0400
From: Justin Richer <jricher@mitre.org>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:13.0) Gecko/20120615 Thunderbird/13.0.1
MIME-Version: 1.0
To: Antonio Sanso <asanso@adobe.com>
References: <CAEEmcpEcNqNHwfVozD-NtfkruiB-v0MTszwNL4cob2rL=QQTSA@mail.gmail.com> <4FE223E4.6060307@mitre.org> <4FE226BC.6010403@alcatel-lucent.com> <59E470B10C4630419ED717AC79FCF9A910889AB5@BL2PRD0410MB363.namprd04.prod.outlook.com> <CABzCy2CLe_DVcxiD1EasuhtG1_6+6tCtV5TckZ80fvqyjan_bA@mail.gmail.com> <59E470B10C4630419ED717AC79FCF9A917052BC8@SN2PRD0410MB370.namprd04.prod.outlook.com> <4FE37D38.1030407@gmail.com> <CABzCy2A_zJ3vaauoo6VwsmLWsTesdTujuQ4dHdVpc5Nh==iEFg@mail.gmail.com> <59E470B10C4630419ED717AC79FCF9A91A2C8949@CH1PRD0410MB369.namprd04.prod.outlook.com> <CABzCy2DzmNgmMALNfc1qp95fwD2WULb-49Dk yLiZnjXngAmaPg@mail.gmail.com> <59E470B10C4630419ED717AC79FCF9A91A2D1309@CH1PRD0410MB369.namprd04.prod.outlook.com> <496AFB1D-A609-4188-B92D-2185E8880388@ve7jtb.com> <59E470B10C4630419ED717AC79FCF9A91A2D13C9@CH1PRD0410MB369.namprd04.prod.outlook.com> <67F8B633-E4C8-42F6-B84C-FDBC337B7EEA@ve7jtb.com> <04C05FAA-63BC-4441-8540-36280E40DB98@adobe.com>
In-Reply-To: <04C05FAA-63BC-4441-8540-36280E40DB98@adobe.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Originating-IP: [129.83.31.51]
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Report an authentication issue
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Jun 2012 17:24:31 -0000

It's all about how you can swipe a token and inject it into another 
application. It's easier to trap and inject a token in the implicit flow 
because it's exposed to the user agent and there's no client secret tied 
to the token's issuance. To get the same trick to work with the code 
flow on server-based confidential clients, you'd need to inject your 
rogue token into the client's configuration or state. With the implicit 
flow and on devices, it's a bit easier just because the parts of the 
system that need access to the token are more accessible.

  -- Justin

On 06/29/2012 12:53 PM, Antonio Sanso wrote:
> Hi John
>
> On Jun 29, 2012, at 1:43 AM, John Bradley wrote:
>
>> Authenticating to the client is NOT safe with all of the flows
> you are perfectly right here. At the begin of this discussion and reading your blog post I was under the impression that this "attack" was tight to the use of the implicit grant flaw.
> But this is not actually the case as I could reproduce the same scenario against a client using the Authorization Code flaw.
>
> Regards
>
> Antonio
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.30.2 | Report a Bug | By Email | System Status