Re: [OAUTH-WG] proposal of a paragraph to add to the security considerations section
Dick Hardt <dick.hardt@gmail.com> Tue, 19 June 2012 00:20 UTC
Return-Path: <dick.hardt@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D7E3F11E80DC for <oauth@ietfa.amsl.com>; Mon, 18 Jun 2012 17:20:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.465
X-Spam-Level:
X-Spam-Status: No, score=-3.465 tagged_above=-999 required=5 tests=[AWL=-0.467, BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_65=0.6, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id siagWNFSvmUw for <oauth@ietfa.amsl.com>; Mon, 18 Jun 2012 17:20:40 -0700 (PDT)
Received: from mail-pb0-f44.google.com (mail-pb0-f44.google.com [209.85.160.44]) by ietfa.amsl.com (Postfix) with ESMTP id 1CA1A11E8073 for <oauth@ietf.org>; Mon, 18 Jun 2012 17:20:40 -0700 (PDT)
Received: by pbcwy7 with SMTP id wy7so8952852pbc.31 for <oauth@ietf.org>; Mon, 18 Jun 2012 17:20:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:mime-version:content-type:from:in-reply-to:date:cc :message-id:references:to:x-mailer; bh=ahjMTR2Fq74ahFuPyT4kJ2qQPC/KQDXXc6W/6o9UpYw=; b=veQ49k3o8cicAQPVjf97IZsUc4xwT2BI2T+CVIatroN0HIrxh9SMW5vG2K/lQq8hd8 J8mbZF8oYnPnQ5zsazDkyR7lMw22UuIdFOjnCiF654CtsJL7X2kD3umf0b461Y6S26L9 VBlaafiVeWZ4LicAsOLA3Lv+6ehy9S8DTqtszRt/wG7bF+YDK7LLwN47A8nJU89GVDTT ORn/APlOPENrEwhl4Lx2nljmoOyzggJOFVHSmmOnyCr+dAj0k6eX8C0vc26afa/yM5OX HERjOTDZ2of33AbfYnthOL267GqiGJFe/olrL+b11gIH0Me6VYxMY1JjZzJzYpJ6ddMV 1rfA==
Received: by 10.68.201.9 with SMTP id jw9mr57881639pbc.28.1340065239584; Mon, 18 Jun 2012 17:20:39 -0700 (PDT)
Received: from [10.0.0.4] (c-24-5-69-173.hsd1.ca.comcast.net. [24.5.69.173]) by mx.google.com with ESMTPS id vp4sm25641188pbc.61.2012.06.18.17.20.37 (version=TLSv1/SSLv3 cipher=OTHER); Mon, 18 Jun 2012 17:20:38 -0700 (PDT)
Mime-Version: 1.0 (Apple Message framework v1278)
Content-Type: multipart/alternative; boundary="Apple-Mail=_534F4347-E749-4C50-BD42-7CA6D09F3EB0"
From: Dick Hardt <dick.hardt@gmail.com>
In-Reply-To: <484A13D0-7C9A-42CC-BB94-3657741834DE@ve7jtb.com>
Date: Mon, 18 Jun 2012 17:20:35 -0700
Message-Id: <82D95BA2-1697-4441-BBB3-B2AE480DC39E@gmail.com>
References: <854774286EF8A240BACC342973A86EAC016693D6@BL2PRD0310MB387.namprd03.prod.outlook.com> <484A13D0-7C9A-42CC-BB94-3657741834DE@ve7jtb.com>
To: John Bradley <ve7jtb@ve7jtb.com>
X-Mailer: Apple Mail (2.1278)
Cc: Yuchen Zhou <t-yuzhou@microsoft.com>, rui wang <wang63@indiana.edu>, Derek Atkins <derek@ihtfp.com>, "oauth@ietf.org" <oauth@ietf.org>, "Shuo Chen (MSR)" <shuochen@microsoft.com>
Subject: Re: [OAUTH-WG] proposal of a paragraph to add to the security considerations section
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Jun 2012 00:20:42 -0000
John Do you have suggested text per your suggestion below? -- Dick On Jun 18, 2012, at 2:04 PM, John Bradley wrote: > I blogged about this in the hypothetical several months ago. http://www.thread-safe.com/2012/01/problem-with-oauth-for-authentication.html > > Nov Matake and others built some tests and found quite a number of deployments vulnerable. > http://www.thread-safe.com/2012/02/more-on-oauth-implicit-flow-application.html > > The bottom line is that OAuth has no explicit audience restriction for tokens, hence accepting any token outside of the code flow is subject to attack. > > In general it is not a issue for authorization, it is however a big issue then there is a presumption that the presenter of a token that grants a client access to resource x is the "resource owner" of resource x, when it is possible that the presenter is any client who has ever had a access token for resource x. > > We might want to include the why it is insecure in the security consideration, otherwise people reading the below will likely ignore the advice as it seems on the surface a touch extreme. > > There are certainly OAuth flows that allow you to do authentication safely, just not all of them without additional precautions. > > That is why openID Connect has a audience restricted id_token similar to Facebook's signed request to allow the implicit flows to be safely used for authentication. > > John B. > > > > > On 2012-06-18, at 4:19 PM, Shuo Chen (MSR) wrote: > >> Hi OAuth group, >> >> This is regarding the recent discussion about an implementation issue of some cloud services using OAuth for authentication. >> Derek Atkins and Dick Hardt suggested the possibility to discuss with the group a paragraph to add to the security considerations section. >> >> Derek’s suggestion: >> ==== === === === >> >> Perhaps you could boil it down to a paragraph >> >> or two for addition to the security considerations section that basically says >> >> "beware of implementing it *this* way because it leads to *that* attack vector", etc. >> ==== === === === >> >> >> Here is out suggested text: >> ==== === === === >> It has been observed that in multiple occasions that the server-side >> authentication logic takes an access token from the client, then >> queries the user's profile data from the IdP in order to >> "authenticate" the user. This implementation must be forbidden. It >> will allow an untrusted app running on a victim’s client device to >> work with an attacker’s device to sign into the victim’s account on the server side. >> ==== === === === >> >> >> Thank you. >> -Shuo >> p.s. below is the email thread giving a better context of the discussion. >> >> >> > -----Original Message----- >> > From: Derek Atkins [mailto:derek@ihtfp.com] >> > Sent: Monday, June 18, 2012 11:25 AM >> > To: Shuo Chen (MSR) >> > Cc: Hannes Tschofenig; rui wang; Stephen Farrell; Yuchen Zhou; Derek >> > Atkins; Dick Hardt >> > Subject: Re: [OAUTH-WG] web sso study... >> > >> > Hi, >> > >> > "Shuo Chen (MSR)" <shuochen@microsoft.com> writes: >> > >> >> Hi Hannes, Derek and Stephen, >> >> >> >> Thank you for your replies. >> >> >> >>> First, let me ask whether it is OK if I share your post with the >> >>> OAuth WG >> >> >> >> Yes, please feel free to share it. >> >> >> >>> Second, could you describe the attack in more details to me? >> >> >> >> Let's consider the mobile+cloud scenario for concreteness (although >> >> some other scenarios are also applicable). The attack steps are the >> >> following: suppose Alice's tablet runs a Windows 8 Metro app written >> >> by attacker Bob. This app is able to request and obtain an access >> >> token from the IdP (associated with Alice). The app can then send the >> >> access token to Bob's own tablet. Note that there is no security >> >> problem up to this point. However the real problem is that some cloud >> >> services use the access token to query the user's profile data from >> >> the IdP in order to "authenticate" the user. In this case, Bob's >> >> tablet will be able to sign into the cloud service as Alice. We have >> >> confirmed that the cloud services for Soluto Metro App, Givit Metro >> >> App and EuroCup2012 Metro App make this mistake. These are apps in >> >> the official Windows 8 App Store. We actually sampled only a small portion of the available apps, but believe this is a vulnerability pattern. >> >> >> >> We don’t think there is anything wrong in the OAuth spec. It is >> >> developers who didn’t comprehensively understand the usage of the >> >> access token. In the meanwhile, this vulnerability pattern is not explicitly excluded by the spec. >> >> More importantly, it has been seen in the wild. >> >> >> >>> [from Derek's email] Perhaps you could boil it down to a paragraph >> >>> or two for >> >> addition to the security considerations section that basically says >> >> "beware of implementing it *this* way because it leads to *that* attack vector", etc. >> >> >> >> This is a great idea. I think that although it is difficult to >> >> anticipate in general all kinds of incomprehensive understandings of >> >> average developers, it is very worthwhile to take any common existing >> >> vulnerability pattern as a precious feedback to improve the >> >> specification text. In this case, since we have already seen this >> >> vulnerability pattern on multiple services in the wild, certainly we >> >> should be explicit about it in the security considerations section. >> >> >> >> Our suggested text: >> >> >> >> It has been observed that in multiple occasions that the server-side >> >> authentication logic takes an access token from the client, then >> >> queries the user's profile data from the IdP in order to >> >> "authenticate" the user. This implementation must be forbidden. It >> >> will allow an untrusted app running on a victim’s client device to >> >> work with an attacker’s device to sign into the victim’s account on the server side. >> >> >> >> Any questions or suggestions? >> > >> > Could you please send this to the oauth@ietf.org mailing list? >> > >> >> Thanks a lot. >> >> >> >> -Shuo >> > >> > -derek >> > >> >> -----Original Message----- >> >> From: Hannes Tschofenig [mailto:Hannes.Tschofenig@gmx.net] >> >> Sent: Friday, June 15, 2012 11:36 AM >> >> To: rui wang >> >> Cc: Hannes Tschofenig; Stephen Farrell; Shuo Chen (MSR); Yuchen Zhou; >> >> Derek Atkins >> >> Subject: Re: [OAUTH-WG] web sso study... >> >> >> >> Hi Rui, >> >> >> >> let me independently respond (in addition to the previous responses >> >> you had already gotten). >> >> >> >> First, let me ask whether it is OK if I share your post with the >> >> OAuth WG since it is more detailed than the one you distributed on the list mid April. >> >> >> >> Second, could you describe the attack in more details to me? What I >> >> would like to better understand whether this the raised issue is a >> >> problem with one of our specifications, with a specific >> >> implementation of the IETF OAuth specifications, a problem with other >> >> OAuth related work (Facebook, as you know, implements far more than >> >> just the IETF OAuth specifications), a violation of the IETF OAuth >> >> specification in the way how the Websites use OAuth, whether this is >> >> a configuration related aspect, or an aspect we already documented in the threats document. >> >> >> >> The reason why I am so specific is to know where to put text to >> >> address this issue or whether this is even an issue beyond the IETF >> >> OAuth working group and needs to be tackled somewhere else. >> >> >> >> Ciao >> >> >> >> Hannes >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] proposal of a paragraph to add to the … Shuo Chen (MSR)
- Re: [OAUTH-WG] proposal of a paragraph to add to … John Bradley
- Re: [OAUTH-WG] proposal of a paragraph to add to … Dick Hardt
- Re: [OAUTH-WG] proposal of a paragraph to add to … John Bradley
- Re: [OAUTH-WG] proposal of a paragraph to add to … Hannes Tschofenig
- Re: [OAUTH-WG] proposal of a paragraph to add to … John Bradley
- Re: [OAUTH-WG] proposal of a paragraph to add to … Eran Hammer
- Re: [OAUTH-WG] proposal of a paragraph to add to … Antonio Sanso
- Re: [OAUTH-WG] proposal of a paragraph to add to … Torsten Lodderstedt
- Re: [OAUTH-WG] proposal of a paragraph to add to … John Bradley
- Re: [OAUTH-WG] proposal of a paragraph to add to … Dick Hardt
- Re: [OAUTH-WG] proposal of a paragraph to add to … Eran Hammer
- Re: [OAUTH-WG] proposal of a paragraph to add to … Dick Hardt
- Re: [OAUTH-WG] proposal of a paragraph to add to … Dick Hardt