[OAUTH-WG] Endpoint Misconfiguration / Social Engineering Attack

Guido Schmitz <g.schmitz@gtrs.de> Thu, 08 October 2020 12:17 UTC

Return-Path: <g.schmitz@gtrs.de>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DEDD63A0D96 for <oauth@ietfa.amsl.com>; Thu, 8 Oct 2020 05:17:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UBpxlM8LIdCQ for <oauth@ietfa.amsl.com>; Thu, 8 Oct 2020 05:17:44 -0700 (PDT)
Received: from mail.gtrs.de (mail.gtrs.de [94.23.167.223]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 070A53A0D88 for <oauth@ietf.org>; Thu, 8 Oct 2020 05:17:43 -0700 (PDT)
Received: from [172.23.101.107] (pd9fb2963.dip0.t-ipconnect.de [217.251.41.99]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.gtrs.de (Postfix) with ESMTPSA id 90A341C03E5 for <oauth@ietf.org>; Thu, 8 Oct 2020 12:02:36 +0000 (UTC)
To: "oauth@ietf.org" <oauth@ietf.org>
From: Guido Schmitz <g.schmitz@gtrs.de>
Autocrypt: addr=g.schmitz@gtrs.de; prefer-encrypt=mutual; keydata= xsFNBExwZ1UBEACrRLUyt0jbab7/nCjULVkApY3mu+pLUfekl+yfw9XfUHFrmFonu4zYAFu8 dduseM9m0AG5b50i7L/dyJjgMlOx/WqoDycdIh37l3u6rU7EY7UY1w88pywOcUt64NW9uQnz 5wQU/UMC/JuFfGKirVTmtVY9kedfrcry8pJ5IPxmKxxf/LA42Qos/DSOzZpJYkeUM4z9l73t GB8C+WrMjGEviyQfQhlx0Ad1MbDF9ZavTSAKnRtX599BCl2p33l4iIq5ebh7Gq19LHACd3c8 SGLNnt8TqRXUo1HPE8ug05hagzc+85eAW37tjesFpkKQB4miXv6IB7tW8We128H3gxbWXzZb kktAHocZkAxoDPIPuxW5h3X4kotDb7aQsDM/Rbnc/YhVHd0L9EHnHkFbL1MJa+LXP0eCwq5D Ud51rtE5Ktmzhc0AZ0AYEDQNSyD4KwiRM9idMjM2DmNRvjyTL7VJj3NdVX+HkeVRhwkI6eCI U7I65yNdAKPfxSEhK1RKjXDzhEr3IZwZMjzwaaTt77sjIZan5UclTKP3tEYu0VknbDAusClB 9omg4jq8qM94lqSrHDVpps4xmMTW3T+Hwl6kHTsvLbz2q/QROItletxdfeys0y0jeD1pJ7Uu bQmUS8YeJa10PLNgUWvho+6gng5lmYJppmjXLcO4oL0v8TQ2mQARAQABzStHdWlkbyBUaW0g Um9tYW4gU2NobWl0eiA8Zy5zY2htaXR6QGd0cnMuZGU+wsF7BBMBAgAlAhsDBgsJCAcDAgYV CAIJCgsEFgIDAQIeAQIXgAUCTHBpZAIZAQAKCRAgw0pxFWieqbHXEACPKQS/0Cmq2kur8FLL g3YlehjORZDxcnF3XzC6qkD0iJu5xmwMxNgwGElD6ezRWRkNhc4C0G0YmG1IKB3qbpRLVMke ApjkNcoKkffvEACReUxNSzaNhRvzWdK8fBLs4DFqudV5iBC0kmm6DjzUccNXMjbFn7smYVbR MIsZ74hNUkpn44g6oB3myR5s8VdQdKiQJmP9qdwNtfDI81HBK1jU9dJSS11M2pxmhklYZ8us mjkNEFi9qy3Prx1vlyio/78TP0xwTkIRe48Kg6oMdXKWFjXq/K2iOm2d0rRzvpF8C3mE8MWP YsGD65XHlhtJ0bAJw+F5xVhvzFkRPOPwjmgZ2RKfChchTb/L5mD9+2kor0dWiFGNCs0Dxa5T j0PLd0ExYzZi6GRs+Yvz3moSiN92Rlvoasgebp6pUM1kfTsh9ln7IMWUZW7UeQDymT2HHYfx Gc/qiBU5u2kT7qzAfN6mJkDYQZthzirETcnHlElX6YZQRR2gqov8Px5miMaIGxW514vwCTvD 7Lh8jnTrxDYCCkwItscBMNxNeySYYMQoDnfPHeMGnEa0NoykRaZDAYXBrDduM4E6fJoRhlM/ RLi3XvxtkDNMejHXWq5Z3znULfFVy/OUPanoOC8Qd15YQMA4kVJ4u+Wr2h5dpwrIvB6O3zpE yhgES3bXkqo7KHHjTM7BTQRMcGdVARAAts2esuf7nLVY2PBKMw8J9eN5qo6u+5O4rq5v2vn0 iDRKvOO3pttLx3bCMCFBuWqiXN0LGssAfYa2UXQZx4UhGMVa/Bz2W0k+DkAZjBDTqEDmdBl8 pNVTWNeHf196natvO6xWKL5UQed9LfOsDnwRxlt47f/h+dbaw6AoVKeQ1UuQGH/xOHjdbjBv 15CzxQtHOj30DuqTLdVbM65u2bF+MwGAEC8NGexiQmYmns/UoKbkmXgZc5mm8w4M1O5xI7MI I5YT4HIPPRPzUFL347Mt5nRpuW3H8JIiBCv8YBlTMzTS1IslP0+yERsS8SBRM3U34hH3867Y WwQ2gfKq5Hmycmj3H1X/fBD/kosOKxRsMhEl9vEc1n2FYvb/tQc5vKULR/ZQW4aZWGRMKbni GP65lTF9FxWSyaddNZi/RqBZnYiWc6Z+M5Qr/KSrOl2h7IE9Hhz4ZAupVam49NGuptf8RBmv NyCWrGXvR09/sSbPw+unkR4xHMQDDNI9HlkuiiVf1i0s/16jGyHVbZG8bUlSWOsN2CTR3bXO Pa5a4osEb/DAhGZrgz88/6fNNv4oWPpAv1NoVfXiwtoFn2fIus8RxL7+TR2IhUOzUZ8HLPTl gZAHLIui8dTrF2PyawUNaaELujmMQP/X/sSiUHO7BqsUBFhSDmT3sDkqPYqDBmhMXL8AEQEA AcLBXwQYAQIACQUCTHBnVQIbDAAKCRAgw0pxFWieqSoLD/kBN3aIqikEdTR3p2newQ+Kzyvx xTt1PSrrDWWZ9+hdqNJSJSv85cq9nJOpJLSCsBpapZCR5OXOPbuvUtmfKpZo90zbeGPHVuvL 1i4qrV+YTvSsFR8ORkfzu6Jyh+MYSeWTKfSW53Re/TupJV/0PcNmOw5XufdHSsS1kdF+A53v cR1oXBXwBAlu4wdvPejjE3ON4l4Ge2GHyhoTXj6iOYOwcebHHJ0BMg2py5IWoII1HM0dfT9r hcOvlc2Wegy4I6+tFnWdiWXAzYpHcxiWdyRIy3ElQj+sQisQqEvJaIUYW8ul3I5pUuKhlKbQ qwA9DA5pYwMcwiRvHslc8dOWK1XUF03xRrNq4mA6Un+mFyteHlDDKfXE9695KcxgZsE93kNf 9ij+zU02/65xellirmk8s/GXoBxj7mhV/CJ9XRC8ZVg2ZzGP/UtyS+5mW6KmbJk5o/Lv/R3n S/fBQE5yevffwhFu5b/Zo8B/l1MQ7DMSLG4y423ciOZE2yYiwYmlddalhrnYVnQ7+9BFnDAl ORUf7ffJlp3YHDfi7+ytMiDjiWbqKzf7hFcybptYpVdm0WS+9mLVKrfYhLAuaK2M7xZSvzZP T4Fe4GGgZELOyx8qGiiBMDRVpLCV2uze4mW7ARr4VcSWN2HbB6pzGmgxF4qwJJUzxhc8wklS IEKDvXjlUw==
Message-ID: <91cca627-2250-366f-cc14-a153812ba902@gtrs.de>
Date: Thu, 8 Oct 2020 14:17:40 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.12.0
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/lIVKxH7-51HADF8Tw-p5myk2_So>
Subject: [OAUTH-WG] Endpoint Misconfiguration / Social Engineering Attack
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Oct 2020 12:17:46 -0000

Hi,

We just had a discussion in Stuttgart on the possibility of
misconfigured endpoints, i.e., an honest client uses the wrong endpoints
for interacting with some honest AS. Such a setting might be the outcome
of a social engineering attack against the administrators of a client
(e.g., the attacker disguises as an AS support agent and convinces the
client admin that some endpoint needs to be changed). If some endpoint
is configured to a URL controlled by some adversary, critical data can
leak and the attacker can even tamper with the requests to this endpoint.

Is this a realistic attack scenario? Does anybody have more insight or
data on this problem? (I think that such a scenario had been mentioned
at some OSW discussion.)

A potential mitigation against this problem could be the usage of AS
metadata discovery (RFC8414). In this case, the client only needs to set
the "issuer" to configure the endpoint URLs. A social engineering attack
to change the issuer might be less likely as a social engineering attack
to change some endpoint URLs (which a client admin might have less
understanding of). Further, using AS metadata discovery also reduces the
risk of misconfiguration at the client in general. Maybe it is a good
idea to add a recommendation for the usage of RFC8414 in the security
BCP. What do you think?

Regards,

Guido