Re: [OAUTH-WG] [EXTERNAL] Re: OAuth Redirection Attacks

George Fletcher <gffletch@aol.com> Sat, 18 December 2021 15:10 UTC

Return-Path: <gffletch@aol.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1CA273A0F3D for <oauth@ietfa.amsl.com>; Sat, 18 Dec 2021 07:10:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.951
X-Spam-Level:
X-Spam-Status: No, score=-3.951 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, NICE_REPLY_A=-1.852, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=aol.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b1lHiZxRZfbZ for <oauth@ietfa.amsl.com>; Sat, 18 Dec 2021 07:10:51 -0800 (PST)
Received: from sonic304-21.consmr.mail.ne1.yahoo.com (sonic304-21.consmr.mail.ne1.yahoo.com [66.163.191.147]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 480DC3A0F35 for <oauth@ietf.org>; Sat, 18 Dec 2021 07:10:51 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aol.com; s=a2048; t=1639840249; bh=TJB2I1qf8HjYFnyk+0+/I/3Xly2TrSkYqlzUhAfZ3sw=; h=Date:Subject:To:Cc:References:From:In-Reply-To:From:Subject:Reply-To; b=THEdayKKQcXbe7N7SIN62gQ6nT0dqJk/3Eb9AcEolr/YpDRUsOA7kBLWtW5+1VeAqJ86nbkrc7Cdb82vKdilGoQ6AesXHW8vWcgezPF+mloZ3toppHNO6iAKUH0hdrcOBzQm2Br+cYQS0RaToMF9ttgFAbk/WZpWUWF5uxvRowg9g099nj8vQuWLrfsDEVXMi/jV0EZsqCorLliqoIvID9eyzm4m+W5IbzBHINdqt7B9Vs3SnIGhSE5ygg0tZ//1+KfbnQvJQI5lU60idKfVV5jA77Vn9dtaLSf7xZMRKCOzAynVocf8gxOx6hEyzi4wp94dVwRVPp3G7ez5q147CQ==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1639840249; bh=WYb2HNsV0VpbepktSyODlaV6bgKftYIvrZhVWMdrfHG=; h=X-Sonic-MF:Date:Subject:To:From:From:Subject; b=LaQS8Twg48nQPauLvdoBu/zpoGkylzlEO5eELbPFfJ5gqX89wx2M1hYrmzAWWYAzTKtZmjzrxhWepZF9PmIpjbUP55fHkP1/qYuy+vSiXhCY5yzuY6Yz6HZuA7JTazENjv3zUG3SVj5uaXJrPMT13SGZSD0LrKpfkdiKqeeflrG7zExAPUuzo+tOCDhuVtUDIWJqm2KL4UjUP8NGt42ixR/xFmDtN43AaAo1vwGImKonV2AUc7+5PI+Vf1TORZKTVP+GryeGIE3l2lT2MQq8BPg4UygUzQY+jAlY7twWHG5Rd9clFHbyYHMEPcaKSnWfRJA0aXakAeMkd3o8LQWsvg==
X-YMail-OSG: Y4ZoosUVM1nOO4kIxwqX.8d9CgQaC2C10LNKcZv4V9ISvTB_qKQ1lHScaRhu4EV XF5kxB112xReoqjAvG_SsiWeGjBbNiV2WQZVREr9Dlwvmhbspg5.gtOqU0Vo2r77dLR2ooimuESN XyKi6tePTOhE_q6ygr0dcv7qoh3nxNUu7TqbGS6peA3.alUfPCkWfYDrRjz.g_GgAVDWbC34YUvr iXPsKdbokHcma8wddvPkeDQ8YmSVMfZsmzeUS.swRAEBLoQ_HnHJHf88Jppk4SGpcAzAOZ3WqkYY YYawAMUwkzgim_HfcIqf2td5dv3GGz34iLmg.2Bp_4gTGLNhMzKEwWKaaUKR.0JBKDLsY5oOWzs5 9fzHbBqoubBOFDtNo6GOeFU71n66ezlryrs2teYBfWsI_iGkLQXxmwOS3jzvSVSdt4mY5kfngygJ 75cdqylIM_hJ8hv4ppq8vEqSygDTqK5Mpk.aAHBCjhOfaCKF0MQAKG7C6Lc44BYn3ANf.CJjJjlN SqRYGSuJ_xAlTFGhmxim4jyPTdRxCPFv4nBhaJeZgbhoKPxvAZcDs1eXvhaRJ6qV4Ry9iNo27B0s F7iCJwlipLjNhdM6VPKVFnpBDfmrE2VchLEzkY7JmzQxiAUoQ4cwo6cMPiD6vLSFzBoaK1k17WlA tvVjojyRHCve4qKW48xiJO128E9xaX67v4Dv.mB41l7ci6jeqqSDZVpCrYxrtOGuVC0CagX5sr9c bxIW9He6Rxcwd64HrITB6BQFHZ0CvNF1QXoZ0myF61rTNKH95OOW.Z1KqVMdYMDB9lXq6E.t83f1 rPkZpsTWaOtesWIjyybgtXofHQVCcvlHpfMXFyQYSZ0WxIU4O3ZaBOMxQz4QEZkuH3p0N9P2P3QE 8_KkjlG6.ZNTeDNylHHWe7kIWmvR9kBf0tYVocwwKFVYW9cR5qhPBRAnKcX8.PPx3ldqrzdhOZJn vN5F00atbvfkPe4LpELxlNBDEjHk6tAlDUKDv6Rqv0X5eRi24YT2z8jkUFtRr6DCwEF_YX6nY1i7 G78SiZALkMbe8qsegYKinCqSy3CeMVMystKGfTMR.OGW_sXa4StTLhwVbgeEcMhlNvMuuSQZhALv iJ63o1JsD_irA_q614Z14lH_zTfUSImii.x_i03Iue.pxdXcMnx8qpJmnUeD1Lg4AhluZjCPJZvR Zh.wNLTFjxdwyRFci_txJq.D55yez.gUzNxI0UAnlPUOCxuyu5J9ueZ84HC17Tp2OQqMo2QXNpCM 7Pbiz1CmQzO3KTkrTPF5V7EOQmKupvWQt52WHDxaZrLFpY0tyuTvO5_fdAbrJAjdYp2si2Vvmm57 qthv6wbu0MTBkSJKcWyjuQwY24S02e.mNX5gdtDyJg5fxq6ZHpZsTkGMRduMJsXNWP5dUFSSUA0u 1brIJJhfjORKu_W301GxsS0r.AVxWqESSYlZJqv8cOkFvIn7um63NiywAetMf673tBfyXWquJ5uc 7QVx9HgaBe488i.upTxF7So8RYm3dhjlgoMZghUVIrh0N5qGwXkqIlmqixQnbzvGrzHSHYLsU6aH 5Kyo.vf4chVN4uG.t8unjg2SL87elP9WWdk6FESD.9WlQnbUifcp6SQBXFIGmCelxC9j_5UYmb8o W_2styc8B0r2l4xbFKtISpW9zmIConJFm1NL4ebceMdDIAgpSFsCVXZ9s4qF_LJ6WS0MKFw47x1. MWIcPHZJDc7TVX8nrnafRhCiINIHX6_SNHEoYxWlrrHiV.C1jWVXdBwkOkdLxpJxzm9CnytzTDS8 UWoOwiW2S1rpjdoku9fKRYx.6JTXeazludi2Fdmv6VhvhshZzH8yx3nfkxlRNFgWAX1U0XuwcgRz ICAGWYcXl55Cc6rM_pn4ipiTgrB2vdcAh9a3zv6JiaLBHDArVeOiDz8nIPQAlvmGHi8qmGhty0pZ a5oX8KlhAooPHlSDO5LU90K3llN7VUAjECUXAvu0tWIf.hZG7iVy73.G4Vwl2orRwtIVA92YLDpX IbSClQWqrLc2uUX57AvAXqgbLIgGpiLF47VIEP0hNF6DdCMGITXue_H0adpqzWe9EKFhXlXtOPtO OkhWIp9XZEFDY8XH1dMrZr6FGSU8Aj7IWgb4NUG6Br1uee3DDtZ.o_4dt7D5sqqLu4l6KBJ9w2XO MJFPGyAlvcTBauf2ED6xqk1VUvZo5KL5WrQZU16Ha0xpCIE9jZfcQukbBcecots0E09e0Saco97r z3uzLDl1ZZZJElb3zALDEnw--
X-Sonic-MF: <gffletch@aol.com>
Received: from sonic.gate.mail.ne1.yahoo.com by sonic304.consmr.mail.ne1.yahoo.com with HTTP; Sat, 18 Dec 2021 15:10:49 +0000
Received: by kubenode538.mail-prod1.omega.bf1.yahoo.com (VZM Hermes SMTP Server) with ESMTPA ID 651540120edcb6ad3ed9243a9cdd9dd2; Sat, 18 Dec 2021 15:10:45 +0000 (UTC)
Message-ID: <4bb64d61-6e79-3c3a-1166-a322dd3089a1@aol.com>
Date: Sat, 18 Dec 2021 10:10:42 -0500
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Thunderbird/91.4.0
Content-Language: en-US
To: David Waite <david=40alkaline-solutions.com@dmarc.ietf.org>, Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org>
Cc: oauth <oauth@ietf.org>
References: <CADNypP_AJFBc+HzKfFZ8d0hk7BZc=fYTDLNP6MroHUg-=r7FvQ@mail.gmail.com> <CAJot-L2X+Ma5BnXJ6Ys3UPJgHc_WnYtU33ast-myT2PN6rU5OQ@mail.gmail.com> <CAO_FVe5fUgS+=FoB9fJN7V0ujG+tDSb_20CgU2ffcPO3kENC=w@mail.gmail.com> <AM7PR83MB04521F9B225816B5D4D1A8F891789@AM7PR83MB0452.EURPRD83.prod.outlook.com> <CAJot-L2jB63K9RVK8F8PFEtOSXjJk+Eg4iJxs9qm7jt7zq1nMw@mail.gmail.com> <AM7PR83MB0452B729482E04F9B333D37791789@AM7PR83MB0452.EURPRD83.prod.outlook.com> <CA+iA6ujXrAqm5bY-akQyB3seD7zhZg1K26AnViOE2cHGEAvEoA@mail.gmail.com> <CA+k3eCS2jNEj4nePQ4kzsvERGnTAw_kimkym1v=a=xFQJG78NA@mail.gmail.com> <FB2B5751-C124-4400-953D-202C8D726350@alkaline-solutions.com>
From: George Fletcher <gffletch@aol.com>
Organization: AOL LLC
In-Reply-To: <FB2B5751-C124-4400-953D-202C8D726350@alkaline-solutions.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Mailer: WebService/1.1.19306 mail.backend.jedi.jws.acl:role.jedi.acl.token.atz.jws.hermes.aol
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/f6S-cyo6a2MWQ6iU25rOqY0kjrI>
Subject: Re: [OAUTH-WG] [EXTERNAL] Re: OAuth Redirection Attacks
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 18 Dec 2021 15:10:56 -0000

Given the attack is based on a successfully registered callback URL that 
is malicious, we can also look to the Authorization Server to run more 
checks on the registered callback URLs (e.g. check against the "unsafe" 
URL list). Not a 100% solution by any means but could help with reduce 
the impact. Additionally, making sure the AS can easily revoke any 
client_id and have that take effect quickly.

Another potential option would be to not allow prompt=none (or automatic 
redirects) from contexts where the user hasn't first gone through a full 
authentication flow or at least allow the AS to display UI at it's 
discretion. Though this will definitely break some flows :(

This at least illuminates one of the dangers of allowing a wide open 
dynamic client registration model :)

Thanks,
George

On 12/18/21 1:11 AM, David Waite wrote:
>
>> On Dec 17, 2021, at 2:44 PM, Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org> wrote:
>>
>> Relax how aggressively OAuth demands that the AS automatically redirect in error conditions. And either respond with a 400 directly (which just stops things at that point) or provide a meaningful interstitial page to the user before redirecting them (which at least helps users see something is amiss). I do think OAuth is a bit overzealous in automatically returning the user's browser context to the client in error conditions. There are some situations (like prompt=none) that rely on the behavior but in most cases it isn't necessary or helpful and can be problematic.
> The problem is that if prompt=none still requires redirection without prompt or interstitial, someone wishing to treat dynamic registrations of malicious sites as clients will just start using prompt=none. Likewise, a site could still attempt to manipulate the user to release information by imitating an extension to the authentication process, such as an "expired password change" prompt.
>
> I agree with Nov Matake's comment - phishing link email filters should treat all OAuth URLs as suspect, as OAuth has several security-recommended features like state and PKCE which do not work as expected/reliably with email. Filters integrated into the browser (such as based on the unsafe site list in Chrome) should not need changes, as they will warn on redirect to the known malicious site.
>
> We should also continue to push as an industry for authentication technologies like WebAuthn (as well as mutual TLS and Kerberos) which are phishing resistant. We are really talking about failure of a single phishing mitigation for _known_ malicious sites - the opportunity to use any unknown malicious site or a compromised legitimate site remains open even if we do suggest changes to error behavior.
>
> -DW
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth