Re: [OAUTH-WG] Auth Code Swap Attack

Eran Hammer-Lahav <> Mon, 22 August 2011 05:54 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 2E50C21F86B1 for <>; Sun, 21 Aug 2011 22:54:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.556
X-Spam-Status: No, score=-2.556 tagged_above=-999 required=5 tests=[AWL=0.043, BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 8D53VW8Qh+k6 for <>; Sun, 21 Aug 2011 22:54:14 -0700 (PDT)
Received: from ( []) by (Postfix) with SMTP id AB76E21F85A3 for <>; Sun, 21 Aug 2011 22:54:14 -0700 (PDT)
Received: (qmail 18371 invoked from network); 22 Aug 2011 05:55:18 -0000
Received: from unknown (HELO ( by with SMTP; 22 Aug 2011 05:55:18 -0000
Received: from P3PW5EX1MB01.EX1.SECURESERVER.NET ([]) by P3PW5EX1HT005.EX1.SECURESERVER.NET ([]) with mapi; Sun, 21 Aug 2011 22:55:18 -0700
From: Eran Hammer-Lahav <>
To: Phil Hunt <>, David Recordon <>
Date: Sun, 21 Aug 2011 22:53:54 -0700
Thread-Topic: [OAUTH-WG] Auth Code Swap Attack
Thread-Index: AcxgjcIRXJJUdfv9R2iqyTyOj7ZYeQAAHTDQ
Message-ID: <90C41DD21FB7C64BB94121FBBC2E7234518A292F66@P3PW5EX1MB01.EX1.SECURESERVER.NET>
References: <> <> <90C41DD21FB7C64BB94121FBBC2E7234502498CE8D@P3PW5EX1MB01.EX1.SECURESERVER.NET> <90C41DD21FB7C64BB94121FBBC2E72345029DFA961@P3PW5EX1MB01.EX1.SECURESERVER.NET> <> <90C41DD21FB7C64BB94121FBBC2E7234518A292F49@P3PW5EX1MB01.EX1.SECURESERVER.NET> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "OAuth WG (" <>
Subject: Re: [OAUTH-WG] Auth Code Swap Attack
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 22 Aug 2011 05:54:15 -0000

> -----Original Message-----
> From: Phil Hunt []
> Sent: Sunday, August 21, 2011 10:39 PM
> To: David Recordon
> Cc: Eran Hammer-Lahav; OAuth WG (
> Subject: Re: [OAUTH-WG] Auth Code Swap Attack
> I think the complication here is that CSRF issues are multi-site issues where
> the attacker cross connecting his client with a victims resource, or a victims
> client with the attackers resource.
> So while an individual site (e.g. Facebook) may presume little or no risk -
> there is a network effect here. A CSRF attacker could be using facebook to
> attack another site. See Yaron's original text about Plaxo/Live at the start of
> this thread.

It's still just a CSRF attack.
> Would it be reasonable to assess whether a resource site could make it
> mandatory based on a pre-registered client?  IOW, would Facebook want to
> make state mandatory for Confidential clients, but not public clients?

That's irrelevant. The authorization server has absolutely no way of verifying if the client is implementing a CSRF protection properly. Making 'state' required does not accomplish such an enforcement. A client can pass the proposed text requirement with "state=ni".

> Would it be acceptable to change status from OPTIONAL to RECOMMENDED?

Parameters are either required or optional. We can makes it optional and recommended for a particular purpose which is consistent with the existing text.

It should be mandatory to implement CSRF protection. We agree on that and should add it to the text. We also agree that 'state' is a great way of implementing it and should recommend it. We already do that in the security consideration section and can enhance that when defining the 'state' parameter.