Re: [OAUTH-WG] Recap of two well known OAuth related attacks

"Richer, Justin P." <jricher@mitre.org> Wed, 15 May 2013 20:22 UTC

Return-Path: <jricher@mitre.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B16DE21F86D8 for <oauth@ietfa.amsl.com>; Wed, 15 May 2013 13:22:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.071
X-Spam-Level:
X-Spam-Status: No, score=-5.071 tagged_above=-999 required=5 tests=[AWL=-0.927, BAYES_00=-2.599, FRT_ADOBE2=2.455, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ma5JiJNSJk06 for <oauth@ietfa.amsl.com>; Wed, 15 May 2013 13:22:03 -0700 (PDT)
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id 9A87D11E80AD for <oauth@ietf.org>; Wed, 15 May 2013 13:22:02 -0700 (PDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id BE1DB22600EF; Wed, 15 May 2013 16:21:55 -0400 (EDT)
Received: from IMCCAS03.MITRE.ORG (imccas03.mitre.org [129.83.29.80]) by smtpksrv1.mitre.org (Postfix) with ESMTP id 98A2F1F027F; Wed, 15 May 2013 16:21:55 -0400 (EDT)
Received: from IMCMBX01.MITRE.ORG ([169.254.1.137]) by IMCCAS03.MITRE.ORG ([129.83.29.80]) with mapi id 14.02.0342.003; Wed, 15 May 2013 16:21:55 -0400
From: "Richer, Justin P." <jricher@mitre.org>
To: Antonio Sanso <asanso@adobe.com>
Thread-Topic: [OAUTH-WG] Recap of two well known OAuth related attacks
Thread-Index: Ac5P7Kgk2IO6JLdIQgSAEFhZyghq+gB3rYAA
Date: Wed, 15 May 2013 20:21:54 +0000
Message-ID: <2AF08A9B-0E0A-42E1-9575-E582065D66D8@mitre.org>
References: <DC65FEE5-9CA0-45CF-B44B-912F0474C4DB@adobe.com>
In-Reply-To: <DC65FEE5-9CA0-45CF-B44B-912F0474C4DB@adobe.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [172.31.37.156]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <AF3889A37BC7AB42993E83E0B249A771@imc.mitre.org>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "oauth@ietf.org WG" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Recap of two well known OAuth related attacks
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 May 2013 20:22:26 -0000

The biggest problem with this attack is the passing of the access token to a backend server (and its subsequent passing of that token to someone else) and the assumption that the presentation of the access token means that the user is authenticated and present. It simply doesn't mean that, and this is a bad assumption that unfortunately many people make thanks to providers like Facebook using OAuth (or, mostly-OAuth since they're not actually RFC compliant) in the authentication protocol.

It's also a problem that so many people are using the implicit flow "because it's easy", missing the point of why it's there in the first place. The implicit flow is really only intended for cases where you can't hide secrets from the user agent, cases like an in-browser application. The flow diagrams that you have don't fit the implicit flow very well at all, since the access token is getting passed back to some other service. 

 -- Justin

On May 13, 2013, at 11:14 AM, Antonio Sanso <asanso@adobe.com>
 wrote:

> Hi *,
> 
> I wrote a blog post showing two well known OAuth related attacks. I paste here the link for your consideration:
> 
> http://intothesymmetry.blogspot.ch/2013/05/oauth-2-attacks-introducing-devil-wears.html
> 
> Any comment is more than appreciated.
> 
> Regards
> 
> Antonio
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth