Re: [OAUTH-WG] Authorization Code Leakage feedback (Yaron Goland)

"Lodderstedt, Torsten" <t.lodderstedt@telekom.de> Thu, 18 August 2011 07:21 UTC

Return-Path: <t.lodderstedt@telekom.de>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2BF455E8002 for <oauth@ietfa.amsl.com>; Thu, 18 Aug 2011 00:21:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.768
X-Spam-Level:
X-Spam-Status: No, score=-2.768 tagged_above=-999 required=5 tests=[AWL=0.480, BAYES_00=-2.599, HELO_EQ_DE=0.35, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0fkDlin69Fxt for <oauth@ietfa.amsl.com>; Thu, 18 Aug 2011 00:21:52 -0700 (PDT)
Received: from tcmail33.telekom.de (tcmail33.telekom.de [194.25.30.7]) by ietfa.amsl.com (Postfix) with ESMTP id 88CCD5E8007 for <oauth@ietf.org>; Thu, 18 Aug 2011 00:21:48 -0700 (PDT)
Received: from g8pxb.blf01.telekom.de ([164.25.63.141]) by tcmail31.telekom.de with ESMTP; 18 Aug 2011 09:22:37 +0200
Received: from QEO40065.de.t-online.corp (QEO40065.de.t-online.corp [10.224.209.65]) by g8pxd.blf01.telekom.de with ESMTP; Thu, 18 Aug 2011 09:22:37 +0200
Received: from QEO40072.de.t-online.corp ([169.254.1.155]) by QEO40065.de.t-online.corp ([10.224.209.65]) with mapi; Thu, 18 Aug 2011 09:22:37 +0200
From: "Lodderstedt, Torsten" <t.lodderstedt@telekom.de>
To: Eran Hammer-Lahav <eran@hueniverse.com>, OAuth WG <oauth@ietf.org>
Date: Thu, 18 Aug 2011 09:22:36 +0200
Thread-Topic: Authorization Code Leakage feedback (Yaron Goland)
Thread-Index: AcxcoxKThYc7pGPAToaDsdhSj5islAAI/wTAAClx6dAAAkWyAAAALYyAAAAgG0A=
Message-Id: <63366D5A116E514AA4A9872D3C533539570852FDA3@QEO40072.de.t-online.corp>
References: <90C41DD21FB7C64BB94121FBBC2E72345028F2D75C@P3PW5EX1MB01.EX1.SECURESERVER.NET> <63366D5A116E514AA4A9872D3C53353956FE1275A3@QEO40072.de.t-online.corp> <90C41DD21FB7C64BB94121FBBC2E72345029DFA962@P3PW5EX1MB01.EX1.SECURESERVER.NET> <63366D5A116E514AA4A9872D3C533539570852FD8B@QEO40072.de.t-online.corp> <90C41DD21FB7C64BB94121FBBC2E72345029DFA965@P3PW5EX1MB01.EX1.SECURESERVER.NET>
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E72345029DFA965@P3PW5EX1MB01.EX1.SECURESERVER.NET>
Accept-Language: de-DE
Content-Language: de-DE
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: de-DE
Content-Type: multipart/alternative; boundary="_000_63366D5A116E514AA4A9872D3C533539570852FDA3QEO40072deton_"
MIME-Version: 1.0
Subject: Re: [OAUTH-WG] Authorization Code Leakage feedback (Yaron Goland)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Aug 2011 07:21:55 -0000

In my opinion, the counterfeit redirection endpoint is another client - the counterfeit client. The attacker must trick the victim into accessing this client and approving the authorization request. So I would assume the attacker would try to let his endpoint look like the real client.

Von: Eran Hammer-Lahav [mailto:eran@hueniverse.com]
Gesendet: Donnerstag, 18. August 2011 09:17
An: Lodderstedt, Torsten; OAuth WG
Betreff: RE: Authorization Code Leakage feedback (Yaron Goland)

But it's not really a counterfeit client but a real client with modified redirection uri. It is a counterfeit redirection endpoint. *I* understand exactly what you mean, but I fear new readers will get completely confused by the title.

EHL

From: Lodderstedt, Torsten [mailto:t.lodderstedt@telekom.de]
Sent: Thursday, August 18, 2011 12:12 AM
To: Eran Hammer-Lahav; OAuth WG
Subject: AW: Authorization Code Leakage feedback (Yaron Goland)

The security document designates it as "Authorization code leakage through counterfeit client"

http://tools.ietf.org/html/draft-ietf-oauth-v2-threatmodel-00#section-4.4.1.7


Von: Eran Hammer-Lahav [mailto:eran@hueniverse.com]<mailto:[mailto:eran@hueniverse.com]>
Gesendet: Donnerstag, 18. August 2011 08:06
An: Lodderstedt, Torsten; OAuth WG
Betreff: RE: Authorization Code Leakage feedback (Yaron Goland)

I think using phishing here is misleading. This is not a classic phishing attack. I'm open to other suggestions.

EHL

From: Lodderstedt, Torsten [mailto:t.lodderstedt@telekom.de]<mailto:[mailto:t.lodderstedt@telekom.de]>
Sent: Wednesday, August 17, 2011 3:22 AM
To: Eran Hammer-Lahav; OAuth WG
Subject: AW: Authorization Code Leakage feedback (Yaron Goland)

Text sounds very good.

wrt title: this threat is about phishing another user's authorization code. Because of the design of the protocol this requires the attacker to use another redirect URI than used by the legitimate client. To make this the title sound bit weird to me. Why not "authorization code phishing"?

regards,
Torsten.

Von: Eran Hammer-Lahav [mailto:eran@hueniverse.com]<mailto:[mailto:eran@hueniverse.com]>
Gesendet: Mittwoch, 17. August 2011 08:39
An: OAuth WG
Betreff: [OAUTH-WG] Authorization Code Leakage feedback (Yaron Goland)


> 10.6. Authorization Code Leakage: Comment "I fancy myself as being

> reasonably intelligent and I'm unclear what attack is actually being described

> here."



Yeah... I had to go back to -16 to be reminded of the section original title 'session fixation attack' to figure out what this was about.



How about this:



10.6.  Authorization Code Redirection URI Manipulation



   When requesting authorization using the authorization code grant

   type, the client can specify a redirection URI via the "redirect_uri"

   parameter.  If an attacker can manipulate the value of the

   redirection URI, it can cause the authorization server to redirect

   the resource owner user-agent to a URI under the control of the

   attacker with the authorization code.



   An attacker can create an account at a legitimate client and initiate

   the authorization flow.  When the attacker is sent to the

   authorization server to grant access, the attacker grabs the

   authorization URI provided by the legitimate client, and replaces the

   client's redirection URI with a URI under the control of the

   attacker.  The attacker then tricks the victim into following the

   manipulated link to authorize access to the legitimate client.



   Once at the authorization server, the victim is prompted with a

   normal, valid request on behalf of a legitimate and familiar client,

   and authorizes the request.  The victim is then redirected to an

   endpoint under the control of the attacker with the authorization

   code.  The attacker completes the authorization flow by sending

   the authorization code to the client using the original redirection

   URI provided by the client.  The client exchanges the authorization

   code with an access token and links it to the attacker's client

  account which can now gain access to the protected resources

   authorized by the victim (via the client).



   In order to prevent such an attack, the authorization server MUST

   ensure that the redirection URI used to obtain the authorization

   code, is the same as the redirection URI provided when exchanging the

   authorization code for an access token.  The authorization server

   SHOULD require the client to register their redirection URI and if

   provided, MUST validate the redirection URI received in the

   authorization request against the registered value.



EHL