IETF Logo Mail Archive

Re: [OAUTH-WG] A Scope Attack against OAuth 2.0

Wenjie Lin <lin.820@osu.edu> Tue, 21 February 2012 19:25 UTC

Return-Path: <wenjielin.bupt@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9536021E805B for <oauth@ietfa.amsl.com>; Tue, 21 Feb 2012 11:25:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.361
X-Spam-Level:
X-Spam-Status: No, score=-2.361 tagged_above=-999 required=5 tests=[AWL=0.315, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xGLocgLYiAKt for <oauth@ietfa.amsl.com>; Tue, 21 Feb 2012 11:25:47 -0800 (PST)
Received: from mail-iy0-f172.google.com (mail-iy0-f172.google.com [209.85.210.172]) by ietfa.amsl.com (Postfix) with ESMTP id AC67321F85F4 for <oauth@ietf.org>; Tue, 21 Feb 2012 11:25:47 -0800 (PST)
Received: by iagf6 with SMTP id f6so11660799iag.31 for <oauth@ietf.org>; Tue, 21 Feb 2012 11:25:47 -0800 (PST)
Received-SPF: pass (google.com: domain of wenjielin.bupt@gmail.com designates 10.50.154.200 as permitted sender) client-ip=10.50.154.200;
Authentication-Results: mr.google.com; spf=pass (google.com: domain of wenjielin.bupt@gmail.com designates 10.50.154.200 as permitted sender) smtp.mail=wenjielin.bupt@gmail.com; dkim=pass header.i=wenjielin.bupt@gmail.com
Received: from mr.google.com ([10.50.154.200]) by 10.50.154.200 with SMTP id vq8mr22026871igb.14.1329852347427 (num_hops = 1); Tue, 21 Feb 2012 11:25:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:cc:content-type; bh=2nDOAKCos9hJ8zqr/aUyfRi0QiQNa7pyN3GL7h+BG3Y=; b=HUdGar5MxMr7WTgqieXsYocedC7897dC06KKn2RDoswEDueZUPPK85HQCIhTuhybQr 830vwHliLEbMzGultv1BGRs4B7M5MvCd8dATdX8dF4cnCcpYMcGmpgfJ0NjlA3kOrTtp xSitpsATACZlzlvF9I8TIFG6/YXioTnJTf8uM=
Received: by 10.50.154.200 with SMTP id vq8mr17774016igb.14.1329852347328; Tue, 21 Feb 2012 11:25:47 -0800 (PST)
MIME-Version: 1.0
Sender: wenjielin.bupt@gmail.com
Received: by 10.42.139.138 with HTTP; Tue, 21 Feb 2012 11:25:27 -0800 (PST)
In-Reply-To: <CAEwGkqBEtSMOR51=b6MqzC3DGKtTjUP_dtvKGbah3FBz6wJpMQ@mail.gmail.com>
References: <CAGmQQ9eorSS8jWgHZzw_Bq6Eb4Qj+fZ0NUuQx_KJwC_rasUCnA@mail.gmail.com> <OF7789D618.84BDC5CF-ON4A2579A8.0023CB58-4A2579A8.0024278F@au1.ibm.com> <5D97D44A-FF8A-4E67-B22D-FB6019162800@ve7jtb.com> <CAGmQQ9fA6DT=-uBZUFgB=Kz6zr=eGSQUUp6X0w1QyD=O0wZy5Q@mail.gmail.com> <CAEwGkqBEtSMOR51=b6MqzC3DGKtTjUP_dtvKGbah3FBz6wJpMQ@mail.gmail.com>
From: Wenjie Lin <lin.820@osu.edu>
Date: Tue, 21 Feb 2012 11:25:27 -0800
X-Google-Sender-Auth: a0vCyjOZWoxuoshBA0Eqy54BLr0
Message-ID: <CAGmQQ9ctZVuiKSdYkuM-BSvEOH_BH8qZ06LMNa3rnyZCM5P9Kg@mail.gmail.com>
To: André DeMarre <andredemarre@gmail.com>
Content-Type: multipart/alternative; boundary="14dae9340821c4295804b97e60f7"
Cc: "Lee, David" <david.lee10@hp.com>, "oauth@ietf.org (oauth@ietf.org)" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] A Scope Attack against OAuth 2.0
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Feb 2012 19:25:52 -0000

On Sat, Feb 18, 2012 at 9:52 PM, André DeMarre <andredemarre@gmail.com>wrote:

> The spec already does what you ask...
>
> Wenjie Lin wrote:
> > as an Option, Authorization Server may choose not to include the scope
> > response parameter to inform Client of the actual scope granted, and
> > that results in the scope attack.
>
> That's not true. Consider draft-ietf-oauth-v2-23 section 3.3:
>    The authorization server MAY fully or partially ignore the scope
>   requested by the client based on the authorization server policy or
>    the resource owner's instructions.  *If the issued access token scope
> *
> *   is different from the one requested by the client, the authorization
>   server MUST include the "scope" response parameter to inform the
>   client of the actual scope granted.*
>
>
The problem is the underlined part above. The authorization server can
never figure out whether *the issued access token scope  is different from
the one requested by the client, *since the authorization server only
receives scope information from the user – never from the client. So long
as the user sends to the authorization server a consistent scope, that can
be different than the one requested by the client, the authorization server
can never figure out the difference. Consequently, the authorization server
MAY NOT *include the "scope" response parameter to inform the client of the
actual scope granted, *resulting in a scope attack.




> See also draft-ietf-oauth-v2-23 section 5.1 regarding issuing an access
> token:
>    scope
>         OPTIONAL, if identical to the scope requested by the client,
>          otherwise REQUIRED.  The scope of the access token as described
>         by Section 3.3.
>
>
> Regards,
> Andre DeMarre
>
> On Sat, Feb 18, 2012 at 8:18 PM, Wenjie Lin <lin.820@osu.edu> wrote:
> > We appreciate your attention and response to our report.
> >
> >
> >
> > Since Authorization Server obtains the scope information ONLY from User,
> it
> > can’t tell whether the issued access token scope  is different from the
> one
> > requested by Client, so long as User is consistently sending the same
> > altered scope information to Authorization Server. Consequently, as an
> > Option, Authorization Server may choose not to include the scope response
> > parameter to inform Client of the actual scope granted, and that results
> in
> > the scope attack. This is a protocol issue and is not an implementation
> > issue; one can come up with an implementation that is compliant with the
> > protocol specification yet with a scope attack.
> >
> >
> >
> > One may argue that we only care about User protection and security.
> > Consequently, scope attack is apparently not a protocol security issue.
> > However, it would significantly limit the applicability of the protocol,
> if
> > Client is knowingly exposed to attacks. We need Client protection and
> > security as well in applications, for instance, cloud services.
> >
> >
> >
> > Scope attack can be easily fixed. One can simply make it Required that
> > Authorization Server MUST include the scope response parameter to inform
> > Client of the actual scope granted, as we have proposed for your
> > consideration.
> >
> >
> >
> > OAuth 2.0 is a sound protocol design. We prove the security properties
> (for
> > both User and Client) and scope attack is an issue we’ve got stuck in the
> > proof.
> >
> >
> >
> > - W. Lin and D. Lee
> >
> >
> > On Sat, Feb 18, 2012 at 2:47 PM, John Bradley <ve7jtb@ve7jtb.com> wrote:
> >>
> >> I agree that it is not a protocol problem.
> >>
> >> The problem is that some developers are not understanding the spec.
> >>
> >> One case I saw recently was a proposal to send a scope to the
> >> Authorization endpoint that changed is authentication behaviour e.g.
> ask for
> >> mlti-factor authentication.
> >>
> >> On a superficial reading of the spec they thought that not getting a
> >> changed set of scopes back in the response that the Authorization
> server was
> >> indicating that it had done what was asked.
> >>
> >> When I pointed out that the user agent can remove scopes because
> requests
> >> are not signed,  they had a similar solution of forcing all the
> endpoints to
> >> always return the scopes granted.
> >>
> >> I hope I talked them out of that.
> >>
> >> The problem is getting people to use scopes to represent resources and
> not
> >> other arbitrary configuration things,  and to understand that even if
> they
> >> do get a scope granted it could disappear before they get to use the
> access
> >> token and they need to be prepared for that.
> >>
> >> The premise that users get access to y for access to x is something that
> >> can be built with OAuth but is not something that can be inferred in
> the way
> >> they are proposing.
> >>
> >> From my perspective replying with granted scopes is a convince for the
> >> client, but not something that can be depended upon.
> >> I don't think we need any normative change.
> >>
> >> A don't make stupid assumptions about the persistence of scopes in
> tokens
> >> note would be as far as I would go.
> >>
> >> John B.
> >>
> >> On 2012-02-18, at 3:34 AM, Shane B Weeden wrote:
> >>
> >> > I agree with others - this is not an attack on the protocol. The user
> >> > has
> >> > the choice about which scope to grant and the client's redirect to the
> >> > authorization endpoint is only a request for a particular set of
> >> > permissions, not a guarantee that it will get them. The
> >> > user+authorization
> >> > server decide which scope is actually granted. The client needs to
> >> > handle
> >> > cases where that differs from what it originally wanted.
> >> >
> >> >
> >> >
> >> >
> >> > From: Wenjie Lin <lin.820@osu.edu>
> >> > To:   oauth@ietf.org
> >> > Date: 18/02/2012 12:12 PM
> >> > Subject:      [OAUTH-WG] A Scope Attack against OAuth 2.0
> >> > Sent by:      oauth-bounces@ietf.org
> >> >
> >> >
> >> >
> >> > We describe an attack on OAuth 2.0 (draft-ietf-oauth-v2-23), called
> >> > scope
> >> > attack, provide a live-demo of the attack on Facebook, and propose a
> fix
> >> > with discussions.
> >> >
> >> >
> >> >
> >> >
> >> >
> >> > Scope Attack
> >> >
> >> >
> >> > OAuth authorization of services is associated with service agreement
> >> > scope.
> >> > For instance, Client provides an online game to User with a service
> >> > agreement scope A: User authorizes Client to access his profile
> >> > information
> >> > and to post messages on his behalf. A malicious User can request for
> >> > online
> >> > game with service agreement scope A, manipulate the scope field, and
> >> > change
> >> > it to scope B: User authorizes Client to access his profile
> information.
> >> > User can still play the games,  yet Client can’t post messages on
> User’s
> >> > behalf, as originally agreed.
> >> >
> >> >
> >> > OAuth 2.0 authorization code grant and implicit grant are vulnerable
> to
> >> > the
> >> > scope attack.
> >> >
> >> >
> >> >
> >> >
> >> >
> >> > A Scope Attack Scenario
> >> >
> >> >
> >> > (1) Authorization Server: Facebook (authorization code grant)
> >> >
> >> >
> >> >      (2) Client: Online gaming company Game. It allows User to play
> the
> >> >      games with the service agreement scope A: User authorizes Game to
> >> >      access his profile information and post messages on his behalf.
> >> >
> >> >
> >> >      (3) User: malicious User with an account at Facebook. He attempts
> >> > to
> >> >      play the games yet without authorizing Game to post messages on
> his
> >> >      behalf, that is, he changes the scope from A to B: authorization
> of
> >> >      Client to access his profile information only.
> >> >
> >> >
> >> >
> >> >
> >> >
> >> > Attack Workflow
> >> >
> >> >
> >> >        (1) User requests Game (Client) for permission to play games,
> >> >        instantiating OAuth 2.0 with scope A.
> >> >
> >> >
> >> >        (2) Game generates an authorization request with a scope
> >> >        specification A, and redirects User to Facebook with the
> request.
> >> >
> >> >
> >> >        (3) User manipulates the scope field and changes it to scope B.
> >> > The
> >> >        modified request is then sent to Facebook.
> >> >
> >> >
> >> >        (4) User grants the modified request.
> >> >
> >> >
> >> >        (5) Facebook redirects User back to Game with the authorization
> >> >        code.
> >> >
> >> >
> >> >        (6) Game exchanges the authorization code for an access token.
> >> >        However it has no knowledge that the scope A has been changed
> to
> >> >        scope B.
> >> >
> >> >
> >> >        (7) Game provides online gaming service to User. However, Game
> >> >        can’t post messages on User’s Facebook page.
> >> >
> >> >
> >> >
> >> >
> >> >
> >> > A Live-Demo: Facebook and CastleVille (IE and Safari tested)
> >> >
> >> >
> >> >      Step 1: Login Facebook and visit Facebook Apps and Game page
> >> >
> >> >
> >> >      https://www.facebook.com/games
> >> >
> >> >
> >> > Step 2: Click CastleVille.
> >> >
> >> >
> >> >      Step 3: When you see the Request for Permission page, instead of
> >> >
> >> >
> >> >            clicking “Allow”, change the scope field in the URL from
> your
> >> >            browser from
> >> >  “scope=email%2Cpublish_stream%2Cpublish_actions”
> >> >            to “scope=email%2Cpublish_stream”.
> >> >
> >> >
> >> >      Step 4: After the modification, press ENTER to send the modified
> >> >
> >> >
> >> >            request to Facebook. Now you will see the modified Request
> of
> >> >            Permission page.
> >> >
> >> >
> >> > Step 5: Click on “Allow” button and enjoy the game.
> >> >
> >> >
> >> > (video: http://www.youtube.com/watch?v=zkmjLa3VU9w)
> >> >
> >> >
> >> >
> >> >
> >> >
> >> > Impact
> >> >
> >> >
> >> > Client provides services to malicious User yet with the modified
> service
> >> > agreement scope by User’s design.
> >> >
> >> >
> >> >
> >> >
> >> >
> >> > Manipulating Scope Field
> >> >
> >> >
> >> > The scope field in access token response is required ONLY IF
> >> > Authorization
> >> > Server observes that the User authorized scope is different than the
> >> > original scope. Consequently, User can manipulate the scope field so
> >> > that
> >> > Authorization Server cannot detect the change of the scope. As a
> result
> >> > Client provides the services yet can’t obtain the information that is
> >> > specified in the scope of the original service agreement.
> >> >
> >> >
> >> > Client can verify the service agreement scope by checking all the
> fields
> >> > against the original User request before providing the requested
> >> > services
> >> > to User.  For instance, Client can verify the granted permissions if
> >> > Authorization Server (e.g. Facebook)  provides an API. However, this
> is
> >> > out
> >> > of the scope of OAuth 2.0, and Client may not check it. We observe:
> all
> >> > top
> >> > five games recommended by Facebook are vulnerable to the scope attack.
> >> >
> >> >
> >> >
> >> >
> >> >
> >> > Proposed Fix
> >> >
> >> >
> >> > Draft-ietf-oauth-v2-23 Section 5.1:
> >> >
> >> >
> >> > Change from
> >> >
> >> >
> >> >      “scope
> >> >
> >> >
> >> >               OPTIONAL, if identical to the scope requested by the
> >> > client,
> >> >
> >> >
> >> >               otherwise REQUIRED.”
> >> >
> >> >
> >> > to
> >> >
> >> >
> >> > “scope REQUIRED” /* scope: User authorized scope */
> >> >
> >> >
> >> >
> >> >
> >> >
> >> > Remarks
> >> >
> >> >
> >> > (1) The proof of the correctness of OAuth with our proposed fix will
> be
> >> > published in an article: “OAuth 2.0 – Attacks, Fixes, Correctness, and
> >> > Generalizations, Wenjie Lin, David Lee and Steve Lai, to appear”.
> >> >
> >> >
> >> > (2) The implicit grant is also vulnerable to the scope attack. However
> >> > it
> >> > cannot be fixed by enforcing scope field in access token response as
> >> > above;
> >> > User can change the scope in response before being redirected to
> Client.
> >> >
> >> >
> >> >
> >> >
> >> >
> >> > Wenjie Lin, The Ohio State University
> >> >
> >> >
> >> > David Lee, HP Labs and The Ohio State University
> >> >
> >> >
> >> > Steve Lai, The Ohio State University
> >> > _______________________________________________
> >> > OAuth mailing list
> >> > OAuth@ietf.org
> >> > https://www.ietf.org/mailman/listinfo/oauth
> >> >
> >> >
> >> > _______________________________________________
> >> > OAuth mailing list
> >> > OAuth@ietf.org
> >> > https://www.ietf.org/mailman/listinfo/oauth
> >>
> >
> >
> >
> >
> >
> > _______________________________________________
> > OAuth mailing list
> > OAuth@ietf.org
> > https://www.ietf.org/mailman/listinfo/oauth
> >
>



-- 
Wenjie Lin

v2.23.0 | Report a Bug | By Email