Re: [OAUTH-WG] Report an authentication issue
Justin Richer <jricher@mitre.org> Wed, 20 June 2012 20:00 UTC
Return-Path: <jricher@mitre.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B998C21F864D for <oauth@ietfa.amsl.com>; Wed, 20 Jun 2012 13:00:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.512
X-Spam-Level:
X-Spam-Status: No, score=-6.512 tagged_above=-999 required=5 tests=[AWL=0.086, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0I7c2Tsjj03u for <oauth@ietfa.amsl.com>; Wed, 20 Jun 2012 13:00:06 -0700 (PDT)
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id 9296A21F8667 for <oauth@ietf.org>; Wed, 20 Jun 2012 13:00:05 -0700 (PDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 1E3DF21B08E2; Wed, 20 Jun 2012 16:00:05 -0400 (EDT)
Received: from IMCCAS02.MITRE.ORG (imccas02.mitre.org [129.83.29.79]) by smtpksrv1.mitre.org (Postfix) with ESMTP id C465921B09BF; Wed, 20 Jun 2012 16:00:04 -0400 (EDT)
Received: from [129.83.50.26] (129.83.31.51) by IMCCAS02.MITRE.ORG (129.83.29.79) with Microsoft SMTP Server (TLS) id 14.2.283.3; Wed, 20 Jun 2012 16:00:04 -0400
Message-ID: <4FE22BB1.1070304@mitre.org>
Date: Wed, 20 Jun 2012 15:59:45 -0400
From: Justin Richer <jricher@mitre.org>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:12.0) Gecko/20120430 Thunderbird/12.0.1
MIME-Version: 1.0
To: igor.faynberg@alcatel-lucent.com
References: <CAEEmcpEcNqNHwfVozD-NtfkruiB-v0MTszwNL4cob2rL=QQTSA@mail.gmail.com> <CABzCy2BZLff7EZoWaU+vmCWCgXUSSxn3x-evm-FwzKdnx7QeMA@mail.gmail.com> <1339792496.52712.YahooMailNeo@web125501.mail.ne1.yahoo.com> <CABzCy2APCsGU9N00K4XYoa4Scxno51b_E=8MKD9MzZk6zxtc1Q@mail.gmail.com> <BDF3CDE9-B411-4366-9C5F-C3EA17938C21@matake.jp> <C05B5190-B0B7-42AD-A6DB-FABF190D2674@gmail.com> <59E470B10C4630419ED717AC79FCF9A9108898EE@BL2PRD0410MB363.namprd04.prod.outlook.com> <4FE223E4.6060307@mitre.org> <4FE226BC.6010403@alcatel-lucent.com>
In-Reply-To: <4FE226BC.6010403@alcatel-lucent.com>
Content-Type: multipart/alternative; boundary="------------000608050906000809020506"
X-Originating-IP: [129.83.31.51]
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] Report an authentication issue
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Jun 2012 20:00:13 -0000
That's a red herring -- the use case is that whatever the police officer is using needs to be authorized to access the video service, not that the police officer needs to "log in" necessarily. Adam has pointed out in another thread that the services that users use to log in are in a different security domain from the video servers, too -- so it's classic federated authorization, using a native client. -- Justin On 06/20/2012 03:38 PM, Igor Faynberg wrote: > But this use case does need OAuth, period: > > The video server is under the control of a police agency, and police > officers must logon to the video server in order to access video content. > > There is no delegation here, and there is no need to use third party > for authentication. > > Igor > > On 6/20/2012 3:26 PM, Justin Richer wrote: >> In case it wasn't clear, I want to restate the original problem as >> best as I understand it in a way that hopefully clears it up: >> >> App A and app B are both valid registered OAuth clients to an OAuth >> protected service. >> >> The problem starts when app A gets handed a token that was issued for >> app B and uses it to call an identity API on the OAuth service. Since >> app B can get tokens just fine, they're bearer tokens, this is a >> fairly basic api call, this function works just fine and returns the >> user info. This makes sense, since anyone who holds A's tokens can do >> whatever A can do on behalf of that user. The issues start when app B >> then decides that since they can make a call to the identity API with >> a token then the user *must* be present. In other words, app B is >> confusing authorization to call an API with authentication of the >> session. >> >> OpenID Connect fixes this missed assumption by binding the ID Token >> to the session and sending it along side the access token, but as you >> pointed out, it's meant for consumption at the client, not the >> resource server, in general. That doesn't mean you can't send it to a >> resource server for your own purposes, of course. That's actually how >> the session management endpoint works in Connect. >> >> This isn't the only way to handle this problem -- if you put some >> structure in your tokens, such as with JWT or SAML, then app A can >> tell that this isn't a token issued to app A, but to app B, so it can >> call shenanigans and reject it then and there. >> >> -- Justin >> >> On 06/20/2012 10:03 AM, Lewis Adam-CAL022 wrote: >>> >>> I am entirely confused. >>> >>> I understand what everybody is saying for confidential clients, no >>> problem here. >>> >>> I fall apart when thinking of iPhone apps. Consider the scenario >>> where I deploy a video server, and write an iPhone app to talk to >>> the video server. The video server is under the control of a police >>> agency, and police officers must logon to the video server in order >>> to access video content. So the police office launches their iPhone >>> video client app. >>> >>> 1)If I wanted to solve authentication using "traditional" >>> client-server authentication, the user enters their username / >>> password into the client, and the client sends the username / >>> password off to the server, which authenticates it, or possibly uses >>> HTTP digest. >>> >>> 2)If I wanted to use OpenID, the client would attempt to reach the >>> video server (RP), the server would redirect the client to the OP, >>> OP authenticates user, and OP redirects client back to the server/RP >>> with an assertion that primary authentication was successful. >>> >>> 3)If I wanted to use OAuth, the client would send an authorization >>> request to the server's AS, which would authenticate the user of the >>> client, and ultimately result in the client possessing an >>> access-token. My thinking is that this access token (let's assume >>> it's a JWT) would contain the user's identity, a statement of what >>> type of primary authentication was used (auth context), an >>> expiration, and an audience claim. This sounds a lot like >>> authentication to me, and it's where I get confused. Is it just >>> because OAuth does not explicitly define this? Is there a threat in >>> using OAuth as I describe? >>> >>> 4)If I wanted to use Connect, well I'm not even sure how the >>> id_token as defined by Connect helps this use case. The id_token >>> seems to make sense when the client is a confidential web server, >>> but it's not clear what an iPhone app would do with the id_token ... >>> it's the server in the backend that needs to authenticate the user, >>> the iPhone app is just an interface to talk to the server. And it >>> seems as I learn more about connect that the id_token is not meant >>> to be sent from the iPhone app to the server, just the access >>> token. So it's really not clear how Connect helps solve >>> authentication for an iPhone client app talking to a video server. >>> If I'm sending access-tokens, it's just OAuth again. >>> >>> What am I still missing? >>> >>> adam >>> >>> *From:*oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] *On >>> Behalf Of *Kristofor Selden >>> *Sent:* Saturday, June 16, 2012 11:33 AM >>> *To:* nov matake; oauth >>> *Cc:* Yuchen Zhou; Luke Melia; Shuo Chen (MSR) >>> *Subject:* Re: [OAUTH-WG] Report an authentication issue >>> >>> Nov demonstrated the problem to us at Yapp and we used solution 4 >>> (because the solution is server side and our app was in the app store). >>> >>> FB Connect is authentication /and/ authorization, where OAuth 2 is >>> concerned only with authorization -- I'm not sure that app >>> developers appreciate this subtlety. >>> >>> With OAuth 2 you authorize an app to use a protected resource. With >>> FB Connect, you do that, but /also/ authenticate with the app you >>> are authorizing. >>> >>> So the access_token protects not just the FB resources but the auth >>> end point of the authorized app (very common with apps that use the >>> iOS SDK). So now the app needs a way to verify that it was the app >>> that was authorized to FB. >>> >>> Solution 4 explanation: on FB you can register a iPhone app and a >>> server app with the same client_id and get a client_secret for use >>> on the server. The server side API posts the >>> access_token, client_id, and client_secret to >>> https://graph.facebook.com/app >>> <https://graph.facebook.com/app?access_token=YOUR_TOKEN> to verify >>> that the bearer token actually belongs to the app that is being >>> authenticated before assuming they are authorized to the app's >>> protected resources. >>> >>> Kris >>> >>> On Jun 15, 2012, at 8:22 PM, nov matake wrote: >>> >>> >>> >>> There are 4 ways to fix this issue. >>> >>> 1. Use response_type=token%20code (It's not in OAuth 2.0 Core, but >>> seems best way for interoperability) >>> >>> 2. Use singed_request (or some signed token like JWT) >>> >>> 3. Use grant_type=fb_exchange_token (Facebook custom way) >>> >>> 4. Access to https://graph.facebook.com/app?access_token=YOUR_TOKEN >>> (Facebook custom way, moreover undocumented API) >>> >>> Two iPhone app developers I reported this issue fixed it by using (4). >>> >>> I also tried to use (1) for my own iPhone app implementation, but >>> unfortunately it doesn't work when using authorization codes >>> obtained via FB iOS SDK. >>> >>> So I'm using (3) in my case. >>> >>> nov >>> >>> On 2012/06/16, at 9:16, Nat Sakimura wrote: >>> >>> >>> >>> As to how the fix was done, Nov can provide more detail, but ... >>> >>> 1. Properly verify the signature/HMAC of the "signed_request". This >>> will essentially audience restricts the token. >>> >>> 2. There is an undocumented API for Facebook which returns to whom >>> the token was issued. This also audience restricts the token. >>> >>> The service that fixed took these measures. Note that none of the >>> above is defined in OAuth. >>> >>> The same facility was called "id_token" and "check ID endpoint" for >>> OpenID Connect. >>> >>> The scale of the impact is large, too large to disclose the actual >>> names in the public list, though, eventually, we would publish them >>> in a paper. >>> >>> Nat >>> >>> On Sat, Jun 16, 2012 at 5:34 AM, Francisco Corella >>> <fcorella@pomcor.com <mailto:fcorella@pomcor.com>> wrote: >>> >>> Hi Nat and Rui, >>> >>> Rui, you say that the vulnerability that you found was due to a >>> "common misunderstanding among developers", but the attack you >>> describe can be carried out against any app that uses the OAuth >>> "implicit grant flow", which Facebook calls "client-side >>> authentication". No misunderstanding seems necessary. What >>> misunderstanding are you referring to? I followed the link in your >>> message to the Sophos post, and from there the link to the article in >>> The Register. The article in The Register says that Facebook had >>> "fixed the vulnerability promptly". How did they fix it? The >>> instructions that Facebook provides for implementing "Client-side >>> authentication without the JS SDK" at >>> https://developers.facebook.com/docs/authentication/client-side/#no-jssdk >>> still allows the attack. >>> >>> Nat, I agree that the blog post by John Bradley that you link to >>> refers to the same vulnerability reported by Rui. You say that some >>> apps have issued a patch to fix it. Could you explain what the fix >>> was? >>> >>> Francisco >>> >>> ------------------------------------------------------------------------ >>> >>> *From:*Nat Sakimura <sakimura@gmail.com <mailto:sakimura@gmail.com>> >>> *To:* rui wang <ruiwangwarm@gmail.com >>> <mailto:ruiwangwarm@gmail.com>> >>> *Cc:* matake nov <nov@matake.jp <mailto:nov@matake.jp>>; Yuchen >>> Zhou <t-yuzhou@microsoft.com <mailto:t-yuzhou@microsoft.com>>; >>> oauth <oauth@ietf.org <mailto:oauth@ietf.org>>; Shuo Chen (MSR) >>> <shuochen@microsoft.com <mailto:shuochen@microsoft.com>> >>> *Sent:* Thursday, June 14, 2012 1:50 PM >>> *Subject:* Re: [OAUTH-WG] Report an authentication issue >>> >>> This is a fairly well known (hopefully by now) issue. We, at the >>> OpenID Foundation, call it "access_token phishing" attack these >>> days. See: >>> http://www.thread-safe.com/2012/01/problem-with-oauth-for-authentication.html >>> >>> Nov Matake has actually built the code on iPhone to verify the >>> problem, and has notified bunch of parties back in February >>> including Facebook and Apple. We have the code that actually >>> runs on a phone, and we have successfully logged in to bunch of >>> apps, including very well known ones. They were all informed of >>> the issue. Some immediately issued a patch to fix it while >>> others have not. >>> >>> The problem is that even if these apps gets fixed, the problem >>> does not go away. As long as the attacker has the vulnerable >>> version of the app, he still can impersonate the victim. To stop >>> it, the server side has to completely disable the older version, >>> which means the service has to cut off many users pausing >>> business problems. >>> >>> Nat >>> >>> On Fri, Jun 15, 2012 at 2:18 AM, rui wang <ruiwangwarm@gmail.com >>> <mailto:ruiwangwarm@gmail.com>> wrote: >>> >>> Dear Facebook Security Team and OAuth Standard group, >>> >>> We are a research team in Microsoft Research. In January, 2011, >>> we reported a vulnerability in Facebook Connect which allowed >>> everyone to sign into Facebook-secured relying parties without >>> password. It was promptly fixed after reporting. >>> (http://nakedsecurity.sophos.com/2011/02/02/facebook-flaw-websites-steal-personal-data/) >>> >>> Recently, we found a common misunderstanding among developers of >>> mobile/metro apps when using OAuth (including Facebook's OAuth) >>> for authentication. The vulnerability resulted from this >>> misunderstanding also allows an attacker to log into a victim >>> user's account without password. >>> >>> Let's take Soluto's metro app as an example to describe the >>> problem. The app supports Facebook Login. As an attacker, we can >>> write a regular Facebook app. Once the victim user allows our >>> app to access her Facebook data, we receive an access_token from >>> the traffic. Then, on our own machine (i.e., the "attacker" >>> machine), we run the metro app of Soluto, and use a HTTP proxy >>> to insert the victim's access_token into the traffic of Facebook >>> login. Through this way, we are able to log into the victim's >>> Soluto account from our machine. Other than Soluto, we also have >>> confirmed the same issue on another Windows 8 metro-app Givit. >>> >>> The Facebook SDK for Android apps >>> (https://developers.facebook.com/docs/mobile/android/build/#sdk) >>> seems to have the possibility to mislead developers too. At >>> least, the issue that we found is not clearly mentioned. In the >>> SDK, we ran the sample code called "Hackbook" using Android >>> Emulator (imagine it is an attacker device). Note that we have >>> already received the access token of the victim user from our >>> regular Facebook app. We then inject the token to the traffic of >>> Hackbook. Through this way, Hackbook app on our own machine >>> recognizes us as the victim. Note that this is not a convincing >>> security exploit yet, because this sample code does not include >>> the server-side code. However, given that we have seen real >>> server-side code having this problem, such as Soluto, Givit and >>> others, we do believe that the sample code can mislead >>> mobile/metro developers. We also suspect that this may be a >>> general issue of many OAuth implementations on mobile platforms, >>> so we send this message to OAuth Standard group as well. >>> >>> We have contacted the vendors of the two vulnerable metro-apps, >>> Soluto and Gavit. >>> >>> Please kindly give us an ack when you receive this message. If >>> you want to know more details, please let us know. >>> >>> Best Regards, >>> Yuchen Zhou, Rui Wang, and Shuo Chen >>> >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org <mailto:OAuth@ietf.org> >>> https://www.ietf.org/mailman/listinfo/oauth >>> >>> >>> >>> -- >>> Nat Sakimura (=nat) >>> >>> Chairman, OpenID Foundation >>> http://nat.sakimura.org/ >>> @_nat_en >>> >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org <mailto:OAuth@ietf.org> >>> https://www.ietf.org/mailman/listinfo/oauth >>> >>> >>> >>> -- >>> Nat Sakimura (=nat) >>> >>> Chairman, OpenID Foundation >>> http://nat.sakimura.org/ >>> @_nat_en >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org <mailto:OAuth@ietf.org> >>> https://www.ietf.org/mailman/listinfo/oauth >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org <mailto:OAuth@ietf.org> >>> https://www.ietf.org/mailman/listinfo/oauth >>> >>> >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- Re: [OAUTH-WG] Report an authentication issue Nat Sakimura
- [OAUTH-WG] Report an authentication issue rui wang
- Re: [OAUTH-WG] Report an authentication issue Francisco Corella
- Re: [OAUTH-WG] Report an authentication issue rui wang
- Re: [OAUTH-WG] Report an authentication issue Phil Hunt
- Re: [OAUTH-WG] Report an authentication issue Phil Hunt
- Re: [OAUTH-WG] Report an authentication issue Nat Sakimura
- Re: [OAUTH-WG] Report an authentication issue Francisco Corella
- Re: [OAUTH-WG] Report an authentication issue Nat Sakimura
- Re: [OAUTH-WG] Report an authentication issue Phil Hunt
- Re: [OAUTH-WG] Report an authentication issue Nat Sakimura
- Re: [OAUTH-WG] Report an authentication issue nov matake
- Re: [OAUTH-WG] Report an authentication issue Kristofor Selden
- Re: [OAUTH-WG] Report an authentication issue Lewis Adam-CAL022
- Re: [OAUTH-WG] Report an authentication issue Igor Faynberg
- Re: [OAUTH-WG] Report an authentication issue Justin Richer
- Re: [OAUTH-WG] Report an authentication issue Justin Richer
- Re: [OAUTH-WG] Report an authentication issue Igor Faynberg
- Re: [OAUTH-WG] Report an authentication issue Justin Richer
- Re: [OAUTH-WG] Report an authentication issue Lewis Adam-CAL022
- Re: [OAUTH-WG] Report an authentication issue Igor Faynberg
- Re: [OAUTH-WG] Report an authentication issue Nat Sakimura
- Re: [OAUTH-WG] Report an authentication issue Lewis Adam-CAL022
- Re: [OAUTH-WG] Report an authentication issue Igor Faynberg
- Re: [OAUTH-WG] Report an authentication issue Phil Hunt
- Re: [OAUTH-WG] Report an authentication issue Nat Sakimura
- Re: [OAUTH-WG] Report an authentication issue Lewis Adam-CAL022
- Re: [OAUTH-WG] Report an authentication issue Paul Madsen
- Re: [OAUTH-WG] Report an authentication issue Hannes Tschofenig
- Re: [OAUTH-WG] Report an authentication issue Chuck Mortimore
- Re: [OAUTH-WG] Report an authentication issue prateek mishra
- Re: [OAUTH-WG] Report an authentication issue Torsten Lodderstedt
- Re: [OAUTH-WG] Report an authentication issue Nat Sakimura
- Re: [OAUTH-WG] Report an authentication issue Lewis Adam-CAL022
- Re: [OAUTH-WG] Report an authentication issue Lewis Adam-CAL022
- Re: [OAUTH-WG] Report an authentication issue Igor Faynberg
- Re: [OAUTH-WG] Report an authentication issue Torsten Lodderstedt
- Re: [OAUTH-WG] Report an authentication issue Nat Sakimura
- Re: [OAUTH-WG] Report an authentication issue Lewis Adam-CAL022
- Re: [OAUTH-WG] Report an authentication issue John Bradley
- Re: [OAUTH-WG] Report an authentication issue Lewis Adam-CAL022
- Re: [OAUTH-WG] Report an authentication issue John Bradley
- Re: [OAUTH-WG] Report an authentication issue Antonio Sanso
- Re: [OAUTH-WG] Report an authentication issue Justin Richer
- Re: [OAUTH-WG] Report an authentication issue John Bradley
- Re: [OAUTH-WG] Report an authentication issue Dick Hardt
- Re: [OAUTH-WG] Report an authentication issue Mike Jones
- Re: [OAUTH-WG] Report an authentication issue Phil Hunt
- Re: [OAUTH-WG] Report an authentication issue John Bradley
- Re: [OAUTH-WG] Report an authentication issue John Bradley
- Re: [OAUTH-WG] Report an authentication issue Phil Hunt
- Re: [OAUTH-WG] Report an authentication issue John Bradley
- Re: [OAUTH-WG] Report an authentication issue Phil Hunt
- Re: [OAUTH-WG] Report an authentication issue Dick Hardt
- Re: [OAUTH-WG] Report an authentication issue John Bradley
- Re: [OAUTH-WG] Report an authentication issue Phil Hunt
- Re: [OAUTH-WG] Report an authentication issue John Bradley
- Re: [OAUTH-WG] Report an authentication issue Phil Hunt
- Re: [OAUTH-WG] Report an authentication issue John Bradley
- Re: [OAUTH-WG] Report an authentication issue Phil Hunt
- Re: [OAUTH-WG] Report an authentication issue John Bradley
- Re: [OAUTH-WG] Report an authentication issue Antonio Sanso
- [OAUTH-WG] Inadvertent cross-authentication throu… Phil Hunt
- Re: [OAUTH-WG] Report an authentication issue John Bradley
- Re: [OAUTH-WG] Report an authentication issue Phil Hunt
- Re: [OAUTH-WG] Report an authentication issue John Bradley