IETF Logo Mail Archive

[OAUTH-WG] proposal of a paragraph to add to the security considerations section

"Shuo Chen (MSR)" <shuochen@microsoft.com> Mon, 18 June 2012 20:20 UTC

Return-Path: <shuochen@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 12A5411E80A3 for <oauth@ietfa.amsl.com>; Mon, 18 Jun 2012 13:20:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.666
X-Spam-Level:
X-Spam-Status: No, score=-1.666 tagged_above=-999 required=5 tests=[AWL=1.200, BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_65=0.6, RCVD_IN_DNSWL_MED=-4, UNRESOLVED_TEMPLATE=3.132]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mm1tTVze1eEi for <oauth@ietfa.amsl.com>; Mon, 18 Jun 2012 13:20:45 -0700 (PDT)
Received: from tx2outboundpool.messaging.microsoft.com (tx2ehsobe001.messaging.microsoft.com [65.55.88.11]) by ietfa.amsl.com (Postfix) with ESMTP id 992E211E809C for <oauth@ietf.org>; Mon, 18 Jun 2012 13:20:44 -0700 (PDT)
Received: from mail86-tx2-R.bigfish.com (10.9.14.246) by TX2EHSOBE002.bigfish.com (10.9.40.22) with Microsoft SMTP Server id 14.1.225.23; Mon, 18 Jun 2012 20:19:24 +0000
Received: from mail86-tx2 (localhost [127.0.0.1]) by mail86-tx2-R.bigfish.com (Postfix) with ESMTP id 1FF9B440629 for <oauth@ietf.org>; Mon, 18 Jun 2012 20:19:24 +0000 (UTC)
X-Forefront-Antispam-Report: CIP:131.107.125.8; KIP:(null); UIP:(null); IPV:NLI; H:TK5EX14MLTC102.redmond.corp.microsoft.com; RD:none; EFVD:NLI
X-SpamScore: -29
X-BigFish: VS-29(zz9371Ic85fh1454I542M1432I1418Izz1202hzz1033IL8275bh8275dhz2fh2a8h683h839hd25hf0ah)
Received-SPF: pass (mail86-tx2: domain of microsoft.com designates 131.107.125.8 as permitted sender) client-ip=131.107.125.8; envelope-from=shuochen@microsoft.com; helo=TK5EX14MLTC102.redmond.corp.microsoft.com ; icrosoft.com ;
X-Forefront-Antispam-Report-Untrusted: CIP:157.56.240.21; KIP:(null); UIP:(null); (null); H:BL2PRD0310HT004.namprd03.prod.outlook.com; R:internal; EFV:INT
Received: from mail86-tx2 (localhost.localdomain [127.0.0.1]) by mail86-tx2 (MessageSwitch) id 1340050762113140_17184; Mon, 18 Jun 2012 20:19:22 +0000 (UTC)
Received: from TX2EHSMHS023.bigfish.com (unknown [10.9.14.253]) by mail86-tx2.bigfish.com (Postfix) with ESMTP id 0E9344C0043 for <oauth@ietf.org>; Mon, 18 Jun 2012 20:19:22 +0000 (UTC)
Received: from TK5EX14MLTC102.redmond.corp.microsoft.com (131.107.125.8) by TX2EHSMHS023.bigfish.com (10.9.99.123) with Microsoft SMTP Server (TLS) id 14.1.225.23; Mon, 18 Jun 2012 20:19:20 +0000
Received: from va3outboundpool.messaging.microsoft.com (157.54.51.113) by mail.microsoft.com (157.54.79.180) with Microsoft SMTP Server (TLS) id 14.2.298.5; Mon, 18 Jun 2012 20:20:36 +0000
Received: from mail175-va3-R.bigfish.com (10.7.14.240) by VA3EHSOBE002.bigfish.com (10.7.40.22) with Microsoft SMTP Server id 14.1.225.23; Mon, 18 Jun 2012 20:18:24 +0000
Received: from mail175-va3 (localhost [127.0.0.1]) by mail175-va3-R.bigfish.com (Postfix) with ESMTP id 565DF340494 for <oauth@ietf.org.FOPE.CONNECTOR.OVERRIDE>; Mon, 18 Jun 2012 20:18:24 +0000 (UTC)
Received: from mail175-va3 (localhost.localdomain [127.0.0.1]) by mail175-va3 (MessageSwitch) id 1340050702506722_1038; Mon, 18 Jun 2012 20:18:22 +0000 (UTC)
Received: from VA3EHSMHS030.bigfish.com (unknown [10.7.14.241]) by mail175-va3.bigfish.com (Postfix) with ESMTP id 6D620A0046; Mon, 18 Jun 2012 20:18:22 +0000 (UTC)
Received: from BL2PRD0310HT004.namprd03.prod.outlook.com (157.56.240.21) by VA3EHSMHS030.bigfish.com (10.7.99.40) with Microsoft SMTP Server (TLS) id 14.1.225.23; Mon, 18 Jun 2012 20:18:20 +0000
Received: from BL2PRD0310MB387.namprd03.prod.outlook.com ([169.254.11.224]) by BL2PRD0310HT004.namprd03.prod.outlook.com ([10.255.97.39]) with mapi id 14.16.0152.000; Mon, 18 Jun 2012 20:19:38 +0000
From: "Shuo Chen (MSR)" <shuochen@microsoft.com>
To: "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: proposal of a paragraph to add to the security considerations section
Thread-Index: Ac1Njb26Cfi2sNORQY2bLPj4RMYfIg==
Date: Mon, 18 Jun 2012 20:19:38 +0000
Message-ID: <854774286EF8A240BACC342973A86EAC016693D6@BL2PRD0310MB387.namprd03.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [131.107.192.57]
Content-Type: multipart/alternative; boundary="_000_854774286EF8A240BACC342973A86EAC016693D6BL2PRD0310MB387_"
MIME-Version: 1.0
X-OrganizationHeadersPreserved: BL2PRD0310HT004.namprd03.prod.outlook.com
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%IETF.ORG$RO%2$TLS%6$FQDN%131.107.125.5$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%GMAIL.COM$RO%2$TLS%6$FQDN%131.107.125.5$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%IHTFP.COM$RO%2$TLS%6$FQDN%131.107.125.5$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%GMX.NET$RO%2$TLS%6$FQDN%131.107.125.5$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%INDIANA.EDU$RO%2$TLS%6$FQDN%131.107.125.5$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%CS.TCD.IE$RO%2$TLS%6$FQDN%131.107.125.5$TlsDn%
X-CrossPremisesHeadersPromoted: TK5EX14MLTC102.redmond.corp.microsoft.com
X-CrossPremisesHeadersFiltered: TK5EX14MLTC102.redmond.corp.microsoft.com
X-OriginatorOrg: microsoft.com
X-Mailman-Approved-At: Mon, 18 Jun 2012 13:35:36 -0700
Cc: rui wang <wang63@indiana.edu>, Yuchen Zhou <t-yuzhou@microsoft.com>, Derek Atkins <derek@ihtfp.com>
Subject: [OAUTH-WG] proposal of a paragraph to add to the security considerations section
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Jun 2012 20:28:42 -0000

Hi OAuth group,

This is regarding the recent discussion about an implementation issue of some cloud services using OAuth for authentication.
Derek Atkins and Dick Hardt suggested the possibility to discuss with the group a paragraph to add to the security considerations section.

Derek's suggestion:
====   ===  ===  ===
>> Perhaps you could boil it down to a paragraph
>> or two for addition to the security considerations section that basically says
>> "beware of implementing it *this* way because it leads to *that* attack vector", etc.
====   ===  ===  ===


Here is out suggested text:
====   ===  ===  ===
It has been observed that in multiple occasions that the server-side
authentication logic takes an access token from the client, then
queries the user's profile data from the IdP in order to
"authenticate" the user. This implementation must be forbidden. It
will allow an untrusted app running on a victim's client device to
work with an attacker's device to sign into the victim's account on the server side.
====   ===  ===  ===


Thank you.
-Shuo
p.s. below is the email thread giving a better context of the discussion.


> -----Original Message-----
> From: Derek Atkins [mailto:derek@ihtfp.com]
> Sent: Monday, June 18, 2012 11:25 AM
> To: Shuo Chen (MSR)
> Cc: Hannes Tschofenig; rui wang; Stephen Farrell; Yuchen Zhou; Derek
> Atkins; Dick Hardt
> Subject: Re: [OAUTH-WG] web sso study...
>
> Hi,
>
> "Shuo Chen (MSR)" <shuochen@microsoft.com> writes:
>
>> Hi Hannes, Derek and Stephen,
>>
>> Thank you for your replies.
>>
>>> First, let me ask whether it is OK if I share your post with the
>>> OAuth WG
>>
>> Yes, please feel free to share it.
>>
>>> Second, could you describe the attack in more details to me?
>>
>> Let's consider the mobile+cloud scenario for concreteness (although
>> some other scenarios are also applicable). The attack steps are the
>> following: suppose Alice's tablet runs a Windows 8 Metro app written
>> by attacker Bob. This app is able to request and obtain an access
>> token from the IdP (associated with Alice). The app can then send the
>> access token to Bob's own tablet. Note that there is no security
>> problem up to this point. However the real problem is that some cloud
>> services use the access token to query the user's profile data from
>> the IdP in order to "authenticate" the user. In this case, Bob's
>> tablet will be able to sign into the cloud service as Alice. We have
>> confirmed that the cloud services for Soluto Metro App, Givit Metro
>> App and EuroCup2012 Metro App make this mistake. These are apps in
>> the official Windows 8 App Store. We actually sampled only a small portion of the available apps, but believe this is a vulnerability pattern.
>>
>> We don't think there is anything wrong in the OAuth spec. It is
>> developers who didn't comprehensively understand the usage of the
>> access token. In the meanwhile, this vulnerability pattern is not explicitly excluded by the spec.
>> More importantly, it has been seen in the wild.
>>
>>> [from Derek's email] Perhaps you could boil it down to a paragraph
>>> or two for
>> addition to the security considerations section that basically says
>> "beware of implementing it *this* way because it leads to *that* attack vector", etc.
>>
>> This is a great idea. I think that although it is difficult to
>> anticipate in general all kinds of incomprehensive understandings of
>> average developers, it is very worthwhile to take any common existing
>> vulnerability pattern as a precious feedback to improve the
>> specification text. In this case, since we have already seen this
>> vulnerability pattern on multiple services in the wild, certainly we
>> should be explicit about it in the security considerations section.
>>
>> Our suggested text:
>>
>> It has been observed that in multiple occasions that the server-side
>> authentication logic takes an access token from the client, then
>> queries the user's profile data from the IdP in order to
>> "authenticate" the user. This implementation must be forbidden. It
>> will allow an untrusted app running on a victim's client device to
>> work with an attacker's device to sign into the victim's account on the server side.
>>
>> Any questions or suggestions?
>
> Could you please send this to the oauth@ietf.org mailing list?
>
>> Thanks a lot.
>>
>> -Shuo
>
> -derek
>
>> -----Original Message-----
>> From: Hannes Tschofenig [mailto:Hannes.Tschofenig@gmx.net]
>> Sent: Friday, June 15, 2012 11:36 AM
>> To: rui wang
>> Cc: Hannes Tschofenig; Stephen Farrell; Shuo Chen (MSR); Yuchen Zhou;
>> Derek Atkins
>> Subject: Re: [OAUTH-WG] web sso study...
>>
>> Hi Rui,
>>
>> let me independently respond (in addition to the previous responses
>> you had already gotten).
>>
>> First, let me ask whether it is OK if I share your post with the
>> OAuth WG since it is more detailed than the one you distributed on the list mid April.
>>
>> Second, could you describe the attack in more details to me? What I
>> would like to better understand whether this the raised issue is a
>> problem with one of our specifications, with a specific
>> implementation of the IETF OAuth specifications, a problem with other
>> OAuth related work (Facebook, as you know, implements far more than
>> just the IETF OAuth specifications), a violation of the IETF OAuth
>> specification in the way how the Websites use OAuth, whether this is
>> a configuration related aspect, or an aspect we already documented in the threats document.
>>
>> The reason why I am so specific is to know where to put text to
>> address this issue or whether this is even an issue beyond the IETF
>> OAuth working group and needs to be tackled somewhere else.
>>
>> Ciao
>>
>> Hannes
>>

v2.23.0 | Report a Bug | By Email