Re: [OAUTH-WG] Authorization Code Leakage feedback (Yaron Goland)
Eran Hammer-Lahav <eran@hueniverse.com> Thu, 18 August 2011 06:06 UTC
Return-Path: <eran@hueniverse.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5327221F8686 for <oauth@ietfa.amsl.com>; Wed, 17 Aug 2011 23:06:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.557
X-Spam-Level:
X-Spam-Status: No, score=-2.557 tagged_above=-999 required=5 tests=[AWL=0.041, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VJvKt7xrIROQ for <oauth@ietfa.amsl.com>; Wed, 17 Aug 2011 23:06:37 -0700 (PDT)
Received: from p3plex1out02.prod.phx3.secureserver.net (p3plex1out02.prod.phx3.secureserver.net [72.167.180.18]) by ietfa.amsl.com (Postfix) with SMTP id AF38C21F863E for <oauth@ietf.org>; Wed, 17 Aug 2011 23:06:36 -0700 (PDT)
Received: (qmail 14860 invoked from network); 18 Aug 2011 06:07:28 -0000
Received: from unknown (HELO smtp.ex1.secureserver.net) (72.167.180.21) by p3plex1out02.prod.phx3.secureserver.net with SMTP; 18 Aug 2011 06:07:28 -0000
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([10.6.135.19]) by P3PW5EX1HT003.EX1.SECURESERVER.NET ([72.167.180.21]) with mapi; Wed, 17 Aug 2011 23:07:27 -0700
From: Eran Hammer-Lahav <eran@hueniverse.com>
To: "Lodderstedt, Torsten" <t.lodderstedt@telekom.de>, OAuth WG <oauth@ietf.org>
Date: Wed, 17 Aug 2011 23:06:11 -0700
Thread-Topic: Authorization Code Leakage feedback (Yaron Goland)
Thread-Index: AcxcoxKThYc7pGPAToaDsdhSj5islAAI/wTAAClx6dA=
Message-ID: <90C41DD21FB7C64BB94121FBBC2E72345029DFA962@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <90C41DD21FB7C64BB94121FBBC2E72345028F2D75C@P3PW5EX1MB01.EX1.SECURESERVER.NET> <63366D5A116E514AA4A9872D3C53353956FE1275A3@QEO40072.de.t-online.corp>
In-Reply-To: <63366D5A116E514AA4A9872D3C53353956FE1275A3@QEO40072.de.t-online.corp>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_90C41DD21FB7C64BB94121FBBC2E72345029DFA962P3PW5EX1MB01E_"
MIME-Version: 1.0
Subject: Re: [OAUTH-WG] Authorization Code Leakage feedback (Yaron Goland)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Aug 2011 06:06:39 -0000
I think using phishing here is misleading. This is not a classic phishing attack. I'm open to other suggestions. EHL From: Lodderstedt, Torsten [mailto:t.lodderstedt@telekom.de] Sent: Wednesday, August 17, 2011 3:22 AM To: Eran Hammer-Lahav; OAuth WG Subject: AW: Authorization Code Leakage feedback (Yaron Goland) Text sounds very good. wrt title: this threat is about phishing another user's authorization code. Because of the design of the protocol this requires the attacker to use another redirect URI than used by the legitimate client. To make this the title sound bit weird to me. Why not "authorization code phishing"? regards, Torsten. Von: Eran Hammer-Lahav [mailto:eran@hueniverse.com]<mailto:[mailto:eran@hueniverse.com]> Gesendet: Mittwoch, 17. August 2011 08:39 An: OAuth WG Betreff: [OAUTH-WG] Authorization Code Leakage feedback (Yaron Goland) > 10.6. Authorization Code Leakage: Comment "I fancy myself as being > reasonably intelligent and I'm unclear what attack is actually being described > here." Yeah... I had to go back to -16 to be reminded of the section original title 'session fixation attack' to figure out what this was about. How about this: 10.6. Authorization Code Redirection URI Manipulation When requesting authorization using the authorization code grant type, the client can specify a redirection URI via the "redirect_uri" parameter. If an attacker can manipulate the value of the redirection URI, it can cause the authorization server to redirect the resource owner user-agent to a URI under the control of the attacker with the authorization code. An attacker can create an account at a legitimate client and initiate the authorization flow. When the attacker is sent to the authorization server to grant access, the attacker grabs the authorization URI provided by the legitimate client, and replaces the client's redirection URI with a URI under the control of the attacker. The attacker then tricks the victim into following the manipulated link to authorize access to the legitimate client. Once at the authorization server, the victim is prompted with a normal, valid request on behalf of a legitimate and familiar client, and authorizes the request. The victim is then redirected to an endpoint under the control of the attacker with the authorization code. The attacker completes the authorization flow by sending the authorization code to the client using the original redirection URI provided by the client. The client exchanges the authorization code with an access token and links it to the attacker's client account which can now gain access to the protected resources authorized by the victim (via the client). In order to prevent such an attack, the authorization server MUST ensure that the redirection URI used to obtain the authorization code, is the same as the redirection URI provided when exchanging the authorization code for an access token. The authorization server SHOULD require the client to register their redirection URI and if provided, MUST validate the redirection URI received in the authorization request against the registered value. EHL
- [OAUTH-WG] Authorization Code Leakage feedback (Y… Eran Hammer-Lahav
- Re: [OAUTH-WG] Authorization Code Leakage feedbac… Eran Hammer-Lahav
- Re: [OAUTH-WG] Authorization Code Leakage feedbac… Lodderstedt, Torsten
- Re: [OAUTH-WG] Authorization Code Leakage feedbac… Eran Hammer-Lahav
- Re: [OAUTH-WG] Authorization Code Leakage feedbac… Lodderstedt, Torsten
- Re: [OAUTH-WG] Authorization Code Leakage feedbac… Eran Hammer-Lahav
- Re: [OAUTH-WG] Authorization Code Leakage feedbac… Lodderstedt, Torsten