IETF Logo Mail Archive

Re: [OAUTH-WG] End-User Authorization Endpoint is an Open Redirect

"Richer, Justin P." <jricher@mitre.org> Mon, 26 July 2010 12:08 UTC

Return-Path: <jricher@mitre.org>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id AC6513A68FD for <oauth@core3.amsl.com>; Mon, 26 Jul 2010 05:08:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.457
X-Spam-Level:
X-Spam-Status: No, score=-6.457 tagged_above=-999 required=5 tests=[AWL=0.142, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9s98kI2Xa757 for <oauth@core3.amsl.com>; Mon, 26 Jul 2010 05:08:19 -0700 (PDT)
Received: from smtp-bedford.mitre.org (smtp-bedford.mitre.org [129.83.20.191]) by core3.amsl.com (Postfix) with ESMTP id 7BF7E3A68D9 for <oauth@ietf.org>; Mon, 26 Jul 2010 05:08:18 -0700 (PDT)
Received: from smtp-bedford.mitre.org (localhost.localdomain [127.0.0.1]) by smtp-bedford.mitre.org (8.13.1/8.13.1) with ESMTP id o6QC8cai012621 for <oauth@ietf.org>; Mon, 26 Jul 2010 08:08:38 -0400
Received: from imchub1.MITRE.ORG (imchub1.mitre.org [129.83.29.73]) by smtp-bedford.mitre.org (8.13.1/8.13.1) with ESMTP id o6QC8cAn012618; Mon, 26 Jul 2010 08:08:38 -0400
Received: from IMCMBX3.MITRE.ORG ([129.83.29.210]) by imchub1.MITRE.ORG ([129.83.29.73]) with mapi; Mon, 26 Jul 2010 08:08:38 -0400
From: "Richer, Justin P." <jricher@mitre.org>
To: Luke Shepard <lshepard@facebook.com>, Michael D Adams <mike@automattic.com>
Date: Mon, 26 Jul 2010 08:07:06 -0400
Thread-Topic: [OAUTH-WG] End-User Authorization Endpoint is an Open Redirect
Thread-Index: AQHLKxH71feAsN0cgk2TmkMqUQCpkpLCz8MAgABQOyM=
Message-ID: <D24C564ACEAD16459EF2526E1D7D605D0D3C09F593@IMCMBX3.MITRE.ORG>
References: <AANLkTimstdtTJLjPF3v3RHd-=ma6irCuUgGiULiGhW4H@mail.gmail.com> <AANLkTinQpAgV8KBEWFtrTB1UgiVs1dnTwVPdL-cScnx6@mail.gmail.com>, <D0061622-4DEB-4374-BF67-F3F45F9951B3@facebook.com>
In-Reply-To: <D0061622-4DEB-4374-BF67-F3F45F9951B3@facebook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] End-User Authorization Endpoint is an Open Redirect
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Jul 2010 12:08:20 -0000

And this is even a bigger potential problem when you combine it with unregistered or dynamically-registered clients, which we know some instances are going to support. In these cases, though, it's hard to trust *any* URL that the client is asking for, even for valid responses. 

 -- justin

________________________________________
From: oauth-bounces@ietf.org [oauth-bounces@ietf.org] On Behalf Of Luke Shepard [lshepard@facebook.com]
Sent: Sunday, July 25, 2010 8:19 PM
To: Michael D Adams
Cc: OAuth WG (oauth@ietf.org)
Subject: Re: [OAUTH-WG] End-User Authorization Endpoint is an Open Redirect

This is a great point.

Facebook validates that the client_id matches the registered redirect_uri before giving a redirect error. Otherwise, just display a screen directly saying that the app is misconfigured. Mis-specifying the redirect_uri is the type of error that should normally be caught in development, so there's no need for an official error code for it (since it shouldn't ever happen in production).

We should specify that the provider should only redirect an error code to a known-good location (or at least, a somewhat vetted one) to prevent open redirectors.

On Jul 24, 2010, at 2:23 AM, Michael D Adams wrote:

> The second to last paragraph in section 3 of draft-10 states:
>
>> The authorization server validates the request to ensure all required
>> parameters are present and valid.  If the request is invalid, the
>> authorization server immediately redirects the user-agent back to the
>> client using the redirection URI provided with the appropriate error
>> code as described in Section 3.2.
>
> There's a couple problems here.
>
> 1. What if the client didn't register a redirect_uri and also didn't
> include one in the request?  The request is invalid, but there's
> nowhere to redirect the user-agent.
>
> 2. A malicious client can use the end-user authorization endpoint as
> an open redirect by intentionally making an invalid request.  For
> example:
>
> End-User Authorization Endpoint: http://service.example.com/oauth/authorize/
> Malicious Site: http://jerk.example.net/
>
> I send a phishing attempt to a user of service.example.com with
> something like the following link in it:
>
> http://service.example.com/oauth/authorize/?redirect_uri=http%3A%2F%2Fjerk.example.net%2Fsteal-your-identity%2F&response_type=haha
>
> The link looks OK at a glance, but clicking on it takes the victim to:
>
> http://jerk.example.net/steal-your-identity/?error=unsupported_response_type
>
> And now I do whatever evil thing I've planned.
>
> Mike
> --mdawaffe
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

v2.35.0 | Report a Bug | By Email | System Status