IETF Logo Mail Archive

Re: [OAUTH-WG] proposal of a paragraph to add to the security considerations section

John Bradley <ve7jtb@ve7jtb.com> Tue, 19 June 2012 02:51 UTC

Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 44D4911E8080 for <oauth@ietfa.amsl.com>; Mon, 18 Jun 2012 19:51:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.238
X-Spam-Level:
X-Spam-Status: No, score=-3.238 tagged_above=-999 required=5 tests=[AWL=-0.240, BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_65=0.6, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L01lL3GSwCox for <oauth@ietfa.amsl.com>; Mon, 18 Jun 2012 19:51:49 -0700 (PDT)
Received: from mail-yw0-f44.google.com (mail-yw0-f44.google.com [209.85.213.44]) by ietfa.amsl.com (Postfix) with ESMTP id 9EAEE21F8512 for <oauth@ietf.org>; Mon, 18 Jun 2012 19:51:49 -0700 (PDT)
Received: by yhq56 with SMTP id 56so4845324yhq.31 for <oauth@ietf.org>; Mon, 18 Jun 2012 19:51:49 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=subject:mime-version:content-type:from:in-reply-to:date:cc :message-id:references:to:x-mailer:x-gm-message-state; bh=lW3px70BKGAKbRtgutgKhOJMrVHx3umsWpoQG68nObE=; b=EDMCybYplzE9HqNb3tJheNuC7cZyB0Ururp7NFek7DhiTe0d+LmxnOCzRNhoAAGyfo dP3I9LUTPIG9ZRjxL2KqClnn1Sc4zJB+Zr0w1T2b+XDXg5iBgKPxos6kXzn5MCw9MdJ6 D/FQNwl0tToBU3JxfD56fLsmsbStBy57JE5KZuHVXUEk4idV8+TD+Eu0i1VD5B6hxT7Z Cuw3bZcOf55VuJDOr0euXmafSeuj+LNq8p+K2CyUPwpBZyTkiCpnoWp9isu8JAUXah2Z U+7ll6ufpa2iKKURJDHcbTck4Or6R6ZI/ptIFSOT/st5kL1d1/Uui4cS8rGk1U8UrQu7 wPag==
Received: by 10.236.75.227 with SMTP id z63mr20734062yhd.27.1340074309053; Mon, 18 Jun 2012 19:51:49 -0700 (PDT)
Received: from [192.168.1.213] (190-20-29-46.baf.movistar.cl. [190.20.29.46]) by mx.google.com with ESMTPS id r45sm72775442yhg.18.2012.06.18.19.51.17 (version=TLSv1/SSLv3 cipher=OTHER); Mon, 18 Jun 2012 19:51:47 -0700 (PDT)
Mime-Version: 1.0 (Apple Message framework v1278)
Content-Type: multipart/signed; boundary="Apple-Mail=_686BA05C-6FCE-4AF9-81DE-93508A50C3C4"; protocol="application/pkcs7-signature"; micalg="sha1"
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <82D95BA2-1697-4441-BBB3-B2AE480DC39E@gmail.com>
Date: Mon, 18 Jun 2012 22:50:51 -0400
Message-Id: <ABE3E533-3264-457C-8A57-1DDD6D27D3BA@ve7jtb.com>
References: <854774286EF8A240BACC342973A86EAC016693D6@BL2PRD0310MB387.namprd03.prod.outlook.com> <484A13D0-7C9A-42CC-BB94-3657741834DE@ve7jtb.com> <82D95BA2-1697-4441-BBB3-B2AE480DC39E@gmail.com>
To: Dick Hardt <dick.hardt@gmail.com>
X-Mailer: Apple Mail (2.1278)
X-Gm-Message-State: ALoCoQn+IltzqYYWH1L56BbQhJw/iZIjfBzpbm1RU0aj91iiz9J62liL0upd+8sTrF1NfuvIXhWs
Cc: Yuchen Zhou <t-yuzhou@microsoft.com>, rui wang <wang63@indiana.edu>, Derek Atkins <derek@ihtfp.com>, "oauth@ietf.org" <oauth@ietf.org>, "Shuo Chen (MSR)" <shuochen@microsoft.com>
Subject: Re: [OAUTH-WG] proposal of a paragraph to add to the security considerations section
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Jun 2012 02:51:52 -0000

I can put something together.   

It is mostly a warning about the token substitution attack that any implicit flow is vulnerable to if used for authentication of the presenter.
Otherwise known as why audience restriction is a good thing.

John B.

On 2012-06-18, at 8:20 PM, Dick Hardt wrote:

> John
> 
> Do you have suggested text per your suggestion below?
> 
> -- Dick
> 
> On Jun 18, 2012, at 2:04 PM, John Bradley wrote:
> 
>> I blogged about this in the hypothetical several months ago. http://www.thread-safe.com/2012/01/problem-with-oauth-for-authentication.html
>> 
>> Nov Matake and others built some tests and found quite a number of deployments vulnerable. 
>> http://www.thread-safe.com/2012/02/more-on-oauth-implicit-flow-application.html
>> 
>> The bottom line is that OAuth has no explicit audience restriction for tokens,  hence accepting any token outside of the code flow is subject to attack.
>> 
>> In general it is not a issue for authorization,  it is however a big issue then there is a presumption that the presenter of a token that grants a client access to resource x is the "resource owner" of resource x, when it is possible that the presenter is any client who has ever had a access token for resource x.
>> 
>> We might want to include the why it is insecure in the security consideration,  otherwise people reading the below will likely ignore the advice as it seems on the surface a touch extreme.
>> 
>> There are certainly OAuth flows that allow you to do authentication safely,  just not all of them without additional precautions.
>> 
>> That is why openID Connect has a audience restricted id_token similar to Facebook's signed request to allow the implicit flows to be safely used for authentication.
>> 
>> John B.
>> 
>> 
>> 
>> 
>> On 2012-06-18, at 4:19 PM, Shuo Chen (MSR) wrote:
>> 
>>> Hi OAuth group,
>>>  
>>> This is regarding the recent discussion about an implementation issue of some cloud services using OAuth for authentication.
>>> Derek Atkins and Dick Hardt suggested the possibility to discuss with the group a paragraph to add to the security considerations section.
>>>  
>>> Derek’s suggestion:
>>> ====   ===  ===  ===
>>> >> Perhaps you could boil it down to a paragraph
>>> >> or two for addition to the security considerations section that basically says
>>> >> "beware of implementing it *this* way because it leads to *that* attack vector", etc.
>>> ====   ===  ===  ===
>>>  
>>>  
>>> Here is out suggested text:
>>> ====   ===  ===  ===
>>> It has been observed that in multiple occasions that the server-side
>>> authentication logic takes an access token from the client, then
>>> queries the user's profile data from the IdP in order to
>>> "authenticate" the user. This implementation must be forbidden. It
>>> will allow an untrusted app running on a victim’s client device to
>>> work with an attacker’s device to sign into the victim’s account on the server side.
>>> ====   ===  ===  ===
>>>  
>>>  
>>> Thank you.
>>> -Shuo
>>> p.s. below is the email thread giving a better context of the discussion.
>>>  
>>>  
>>> > -----Original Message-----
>>> > From: Derek Atkins [mailto:derek@ihtfp.com]
>>> > Sent: Monday, June 18, 2012 11:25 AM
>>> > To: Shuo Chen (MSR)
>>> > Cc: Hannes Tschofenig; rui wang; Stephen Farrell; Yuchen Zhou; Derek
>>> > Atkins; Dick Hardt
>>> > Subject: Re: [OAUTH-WG] web sso study...
>>> > 
>>> > Hi,
>>> > 
>>> > "Shuo Chen (MSR)" <shuochen@microsoft.com> writes:
>>> > 
>>> >> Hi Hannes, Derek and Stephen,
>>> >> 
>>> >> Thank you for your replies.
>>> >> 
>>> >>> First, let me ask whether it is OK if I share your post with the
>>> >>> OAuth WG
>>> >> 
>>> >> Yes, please feel free to share it.
>>> >> 
>>> >>> Second, could you describe the attack in more details to me?
>>> >> 
>>> >> Let's consider the mobile+cloud scenario for concreteness (although
>>> >> some other scenarios are also applicable). The attack steps are the
>>> >> following: suppose Alice's tablet runs a Windows 8 Metro app written
>>> >> by attacker Bob. This app is able to request and obtain an access
>>> >> token from the IdP (associated with Alice). The app can then send the
>>> >> access token to Bob's own tablet. Note that there is no security
>>> >> problem up to this point. However the real problem is that some cloud
>>> >> services use the access token to query the user's profile data from
>>> >> the IdP in order to "authenticate" the user. In this case, Bob's
>>> >> tablet will be able to sign into the cloud service as Alice. We have
>>> >> confirmed that the cloud services for Soluto Metro App, Givit Metro
>>> >> App and EuroCup2012 Metro App make this mistake. These are apps in
>>> >> the official Windows 8 App Store. We actually sampled only a small portion of the available apps, but believe this is a vulnerability pattern.
>>> >> 
>>> >> We don’t think there is anything wrong in the OAuth spec. It is
>>> >> developers who didn’t comprehensively understand the usage of the
>>> >> access token. In the meanwhile, this vulnerability pattern is not explicitly excluded by the spec.
>>> >> More importantly, it has been seen in the wild.
>>> >> 
>>> >>> [from Derek's email] Perhaps you could boil it down to a paragraph
>>> >>> or two for
>>> >> addition to the security considerations section that basically says
>>> >> "beware of implementing it *this* way because it leads to *that* attack vector", etc.
>>> >> 
>>> >> This is a great idea. I think that although it is difficult to
>>> >> anticipate in general all kinds of incomprehensive understandings of
>>> >> average developers, it is very worthwhile to take any common existing
>>> >> vulnerability pattern as a precious feedback to improve the
>>> >> specification text. In this case, since we have already seen this
>>> >> vulnerability pattern on multiple services in the wild, certainly we
>>> >> should be explicit about it in the security considerations section.
>>> >> 
>>> >> Our suggested text:
>>> >> 
>>> >> It has been observed that in multiple occasions that the server-side
>>> >> authentication logic takes an access token from the client, then
>>> >> queries the user's profile data from the IdP in order to
>>> >> "authenticate" the user. This implementation must be forbidden. It
>>> >> will allow an untrusted app running on a victim’s client device to
>>> >> work with an attacker’s device to sign into the victim’s account on the server side.
>>> >> 
>>> >> Any questions or suggestions?
>>> > 
>>> > Could you please send this to the oauth@ietf.org mailing list?
>>> > 
>>> >> Thanks a lot.
>>> >> 
>>> >> -Shuo
>>> > 
>>> > -derek
>>> > 
>>> >> -----Original Message-----
>>> >> From: Hannes Tschofenig [mailto:Hannes.Tschofenig@gmx.net]
>>> >> Sent: Friday, June 15, 2012 11:36 AM
>>> >> To: rui wang
>>> >> Cc: Hannes Tschofenig; Stephen Farrell; Shuo Chen (MSR); Yuchen Zhou;
>>> >> Derek Atkins
>>> >> Subject: Re: [OAUTH-WG] web sso study...
>>> >> 
>>> >> Hi Rui,
>>> >> 
>>> >> let me independently respond (in addition to the previous responses
>>> >> you had already gotten).
>>> >> 
>>> >> First, let me ask whether it is OK if I share your post with the
>>> >> OAuth WG since it is more detailed than the one you distributed on the list mid April.
>>> >> 
>>> >> Second, could you describe the attack in more details to me? What I
>>> >> would like to better understand whether this the raised issue is a
>>> >> problem with one of our specifications, with a specific
>>> >> implementation of the IETF OAuth specifications, a problem with other
>>> >> OAuth related work (Facebook, as you know, implements far more than
>>> >> just the IETF OAuth specifications), a violation of the IETF OAuth
>>> >> specification in the way how the Websites use OAuth, whether this is
>>> >> a configuration related aspect, or an aspect we already documented in the threats document.
>>> >> 
>>> >> The reason why I am so specific is to know where to put text to
>>> >> address this issue or whether this is even an issue beyond the IETF
>>> >> OAuth working group and needs to be tackled somewhere else.
>>> >> 
>>> >> Ciao
>>> >> 
>>> >> Hannes
>>> >>
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>> 
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>

v2.15.0 | Report a Bug | By Email