IETF Logo Mail Archive

Re: [OAUTH-WG] A Scope Attack against OAuth 2.0

William Mills <wmills@yahoo-inc.com> Sun, 19 February 2012 04:34 UTC

Return-Path: <wmills@yahoo-inc.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0ABC011E808D for <oauth@ietfa.amsl.com>; Sat, 18 Feb 2012 20:34:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.398
X-Spam-Level:
X-Spam-Status: No, score=-17.398 tagged_above=-999 required=5 tests=[AWL=0.200, BAYES_00=-2.599, HTML_MESSAGE=0.001, USER_IN_DEF_WHITELIST=-15]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aWLstpam0IaR for <oauth@ietfa.amsl.com>; Sat, 18 Feb 2012 20:34:57 -0800 (PST)
Received: from nm25-vm0.bullet.mail.sp2.yahoo.com (nm25-vm0.bullet.mail.sp2.yahoo.com [98.139.91.228]) by ietfa.amsl.com (Postfix) with SMTP id 36C5911E808C for <oauth@ietf.org>; Sat, 18 Feb 2012 20:34:57 -0800 (PST)
Received: from [98.139.91.64] by nm25.bullet.mail.sp2.yahoo.com with NNFMP; 19 Feb 2012 04:34:54 -0000
Received: from [98.139.91.22] by tm4.bullet.mail.sp2.yahoo.com with NNFMP; 19 Feb 2012 04:34:54 -0000
Received: from [127.0.0.1] by omp1022.mail.sp2.yahoo.com with NNFMP; 19 Feb 2012 04:34:54 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 519360.57225.bm@omp1022.mail.sp2.yahoo.com
Received: (qmail 67396 invoked by uid 60001); 19 Feb 2012 04:34:53 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo-inc.com; s=ginc1024; t=1329626093; bh=oH8FErEir6Mwqp1vmy+uHWKRHQDVso1nGYOD/wpJsYc=; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=SU51PdvBsi0nlBj+6CGuJkgfMIy9EvJf51I9Oae3mGBga0Ru4E180nn7CBv+CcbklxVGLLDoAkgKe3uS+UNm8tSxnv/e7RkcHLvxDwWBV/KXWy1yn/Vmt3l48XDv8RySfjTz+SjgIMEzS/pB7BAZaEFpqo3QMNgCOf+MOgieA0I=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=ginc1024; d=yahoo-inc.com; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=bYTKH9VJboZ4ahdRwezp27rKmfWFUAHWD+z/u3SZKYZdtYXy65Q9NSGtCC28u5HWnog5HoCaMIPwWoyPB/7y02la3fYvKT05ASy8x/MdqM9jPYjXxbUNba2msRNIq9t8CUeToBp4Kly8nyuGlJzmxazsQkyHe3az6PsQY0HaHh8=;
X-YMail-OSG: yRRXVNgVM1lMRVznFYP_VtUuZagZKaG7noxAMA5PWgxgYcF FGYtq034H7Z9gaNoQJVmYHPvCkuM8VGbHX60mNSg5I.V06WvJMwZkpX21iEg zsaMMTkk0HdEOZ6.Vj8cfI0WdN7gAvhNbwMPlq9Zrg7LXqb0xdzcA1WMV13T LUU0WemD6ZHQ2Ns49.DqRL0G9lnH_Hb0WnmlVvYqambohtuz4I58xSaqDEWV X5dqgzH1Ws52wFWbm06jJPLzN4bIyzyi0PtiLEcVuMRZFkKKeY.4uRrRPItC _BQYwbUcs9L1PJYTtnBXZoPxhiGIpJQQqhe1gXRkFAD3VYE90Yw05.vsA3Gp 3bhGlRGObxEuEnkGkIv57LuTNQjsRkLUEQ0fn_y78q11tFEUytTGd_dnDl4h 7LbNScxU8eWCplwIn8.K.FGsmiBu5.6zuITA79v9ey9Juu8D5oB1FEoyTod6 7jz5_RNZgwYuQSkJPZ6aL2uW9LdvlyMpZuPZqEgJT6rR4rjdUZ067VwAp9Oi N1EcKZUUnjuPimOB._PmExRf5B9xx9P_i3.KHRpjFT05UWixMwN0KcJY-
Received: from [99.31.212.42] by web31804.mail.mud.yahoo.com via HTTP; Sat, 18 Feb 2012 20:34:53 PST
X-RocketYMMF: william_john_mills
X-Mailer: YahooMailWebService/0.8.117.340031
References: <CAGmQQ9eorSS8jWgHZzw_Bq6Eb4Qj+fZ0NUuQx_KJwC_rasUCnA@mail.gmail.com> <OF7789D618.84BDC5CF-ON4A2579A8.0023CB58-4A2579A8.0024278F@au1.ibm.com> <5D97D44A-FF8A-4E67-B22D-FB6019162800@ve7jtb.com> <CAGmQQ9fA6DT=-uBZUFgB=Kz6zr=eGSQUUp6X0w1QyD=O0wZy5Q@mail.gmail.com>
Message-ID: <1329626093.59538.YahooMailNeo@web31804.mail.mud.yahoo.com>
Date: Sat, 18 Feb 2012 20:34:53 -0800
From: William Mills <wmills@yahoo-inc.com>
To: Wenjie Lin <lin.820@osu.edu>, John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <CAGmQQ9fA6DT=-uBZUFgB=Kz6zr=eGSQUUp6X0w1QyD=O0wZy5Q@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="835683298-1479337183-1329626093=:59538"
Cc: "oauth@ietf.org (oauth@ietf.org)" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] A Scope Attack against OAuth 2.0
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: William Mills <wmills@yahoo-inc.com>
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 19 Feb 2012 04:34:59 -0000

So, I think what you are pointing out is an operability flaw rather than a security one.  It is possible that the client will be issued a token that does not have the permissions it expects, and the only way for the client to determine this in a guaranteed fashion is to do an operation and see a failure.

The question then is, does this warrant a MUST rather than SHOULD.  The server may issue a more privileged token for example.  From the scope name there's no way for the client to actually resolve the scope name to privilege, so even if the server provides the scope we might have the same problem.

There are current usages in comaparable systems where an unscoped token implies no restriction.  The semantics of scope names here have intentionally been left fuzzy.  It's a significant change to try to fix this problem, but the questionis whether it's worth it?  I doubt that will get it right in a way that people will agree with, I don't think you proposed change is sufficient to resolve the problem.

Would it be sifficient to call it out as an implementors note or a nota bene type editorial comment?

-bill




________________________________
 From: Wenjie Lin <lin.820@osu.edu>
To: John Bradley <ve7jtb@ve7jtb.com> 
Cc: "oauth@ietf.org (oauth@ietf.org)" <oauth@ietf.org> 
Sent: Saturday, February 18, 2012 8:18 PM
Subject: Re: [OAUTH-WG] A Scope Attack against OAuth 2.0
 

We appreciate your attention and response to our report.
 
Since Authorization Server obtains the scope information ONLY from User, it can’t tell whether the issued access token scope  is different from the one requested by Client, so long as User is consistently sending the same altered scope information to Authorization Server. Consequently, as an Option, Authorization Server may choose not to include the scope response parameter to inform Client of the actual scope granted, and that results in the scope attack. This is a protocol issue and is not an implementation issue; one can come up with an implementation that is compliant with the protocol specification yet with a scope attack.
 
One may argue that we only care about User protection and security. Consequently, scope attack is apparently not a protocol security issue. However, it would significantly limit the applicability of the protocol, if Client is knowingly exposed to attacks. We need Client protection and security as well in applications, for instance, cloud services.
 
Scope attack can be easily fixed. One can simply make it Required that Authorization Server MUST include the scope response parameter to inform Client of the actual scope granted, as we have proposed for your consideration.
 
OAuth 2.0 is a sound protocol design. We prove the security properties (for both User and Client) and scope attack is an issue we’ve got stuck in the proof.
 
- W. Lin and D. Lee

On Sat, Feb 18, 2012 at 2:47 PM, John Bradley <ve7jtb@ve7jtb.com> wrote:

I agree that it is not a protocol problem.
>
>The problem is that some developers are not understanding the spec.
>
>One case I saw recently was a proposal to send a scope to the Authorization endpoint that changed is authentication behaviour e.g. ask for mlti-factor authentication.
>
>On a superficial reading of the spec they thought that not getting a changed set of scopes back in the response that the Authorization server was indicating that it had done what was asked.
>
>When I pointed out that the user agent can remove scopes because requests are not signed,  they had a similar solution of forcing all the endpoints to always return the scopes granted.
>
>I hope I talked them out of that.
>
>The problem is getting people to use scopes to represent resources and not other arbitrary configuration things,  and to understand that even if they do get a scope granted it could disappear before they get to use the access token and they need to be prepared for that.
>
>The premise that users get access to y for access to x is something that can be built with OAuth but is not something that can be inferred in the way they are proposing.
>
>From my perspective replying with granted scopes is a convince for the client, but not something that can be depended upon.
>I don't think we need any normative change.
>
>A don't make stupid assumptions about the persistence of scopes in tokens note would be as far as I would go.
>
>John B.
>
>
>On 2012-02-18, at 3:34 AM, Shane B Weeden wrote:
>
>> I agree with others - this is not an attack on the protocol. The user has
>> the choice about which scope to grant and the client's redirect to the
>> authorization endpoint is only a request for a particular set of
>> permissions, not a guarantee that it will get them. The user+authorization
>> server decide which scope is actually granted. The client needs to handle
>> cases where that differs from what it originally wanted.
>>
>>
>>
>>
>> From: Wenjie Lin <lin.820@osu.edu>
>> To:   oauth@ietf.org
>> Date: 18/02/2012 12:12 PM
>> Subject:      [OAUTH-WG] A Scope Attack against OAuth 2.0
>> Sent by:      oauth-bounces@ietf.org
>>
>>
>>
>> We describe an attack on OAuth 2.0 (draft-ietf-oauth-v2-23), called scope
>> attack, provide a live-demo of the attack on Facebook, and propose a fix
>> with discussions.
>>
>>
>>
>>
>>
>> Scope Attack
>>
>>
>> OAuth authorization of services is associated with service agreement scope.
>> For instance, Client provides an online game to User with a service
>> agreement scope A: User authorizes Client to access his profile information
>> and to post messages on his behalf. A malicious User can request for online
>> game with service agreement scope A, manipulate the scope field, and change
>> it to scope B: User authorizes Client to access his profile information.
>> User can still play the games,  yet Client can’t post messages on User’s
>> behalf, as originally agreed.
>>
>>
>> OAuth 2.0 authorization code grant and implicit grant are vulnerable to the
>> scope attack.
>>
>>
>>
>>
>>
>> A Scope Attack Scenario
>>
>>
>> (1) Authorization Server: Facebook (authorization code grant)
>>
>>
>>      (2) Client: Online gaming company Game. It allows User to play the
>>      games with the service agreement scope A: User authorizes Game to
>>      access his profile information and post messages on his behalf.
>>
>>
>>      (3) User: malicious User with an account at Facebook. He attempts to
>>      play the games yet without authorizing Game to post messages on his
>>      behalf, that is, he changes the scope from A to B: authorization of
>>      Client to access his profile information only.
>>
>>
>>
>>
>>
>> Attack Workflow
>>
>>
>>        (1) User requests Game (Client) for permission to play games,
>>        instantiating OAuth 2.0 with scope A.
>>
>>
>>        (2) Game generates an authorization request with a scope
>>        specification A, and redirects User to Facebook with the request.
>>
>>
>>        (3) User manipulates the scope field and changes it to scope B. The
>>        modified request is then sent to Facebook.
>>
>>
>>        (4) User grants the modified request.
>>
>>
>>        (5) Facebook redirects User back to Game with the authorization
>>        code.
>>
>>
>>        (6) Game exchanges the authorization code for an access token.
>>        However it has no knowledge that the scope A has been changed to
>>        scope B.
>>
>>
>>        (7) Game provides online gaming service to User. However, Game
>>        can’t post messages on User’s Facebook page.
>>
>>
>>
>>
>>
>> A Live-Demo: Facebook and CastleVille (IE and Safari tested)
>>
>>
>>      Step 1: Login Facebook and visit Facebook Apps and Game page
>>
>>
>>      https://www.facebook.com/games
>>
>>
>> Step 2: Click CastleVille.
>>
>>
>>      Step 3: When you see the Request for Permission page, instead of
>>
>>
>>            clicking “Allow”, change the scope field in the URL from your
>>            browser from  “scope=email%2Cpublish_stream%2Cpublish_actions”
>>            to “scope=email%2Cpublish_stream”.
>>
>>
>>      Step 4: After the modification, press ENTER to send the modified
>>
>>
>>            request to Facebook. Now you will see the modified Request of
>>            Permission page.
>>
>>
>> Step 5: Click on “Allow” button and enjoy the game.
>>
>>
>> (video: http://www.youtube.com/watch?v=zkmjLa3VU9w)
>>
>>
>>
>>
>>
>> Impact
>>
>>
>> Client provides services to malicious User yet with the modified service
>> agreement scope by User’s design.
>>
>>
>>
>>
>>
>> Manipulating Scope Field
>>
>>
>> The scope field in access token response is required ONLY IF Authorization
>> Server observes that the User authorized scope is different than the
>> original scope. Consequently, User can manipulate the scope field so that
>> Authorization Server cannot detect the change of the scope. As a result
>> Client provides the services yet can’t obtain the information that is
>> specified in the scope of the original service agreement.
>>
>>
>> Client can verify the service agreement scope by checking all the fields
>> against the original User request before providing the requested services
>> to User.  For instance, Client can verify the granted permissions if
>> Authorization Server (e.g. Facebook)  provides an API. However, this is out
>> of the scope of OAuth 2.0, and Client may not check it. We observe: all top
>> five games recommended by Facebook are vulnerable to the scope attack.
>>
>>
>>
>>
>>
>> Proposed Fix
>>
>>
>> Draft-ietf-oauth-v2-23 Section 5.1:
>>
>>
>> Change from
>>
>>
>>      “scope
>>
>>
>>               OPTIONAL, if identical to the scope requested by the client,
>>
>>
>>               otherwise REQUIRED.”
>>
>>
>> to
>>
>>
>> “scope REQUIRED” /* scope: User authorized scope */
>>
>>
>>
>>
>>
>> Remarks
>>
>>
>> (1) The proof of the correctness of OAuth with our proposed fix will be
>> published in an article: “OAuth 2.0 – Attacks, Fixes, Correctness, and
>> Generalizations, Wenjie Lin, David Lee and Steve Lai, to appear”.
>>
>>
>> (2) The implicit grant is also vulnerable to the scope attack. However it
>> cannot be fixed by enforcing scope field in access token response as above;
>> User can change the scope in response before being redirected to Client.
>>
>>
>>
>>
>>
>> Wenjie Lin, The Ohio State University
>>
>>
>> David Lee, HP Labs and The Ohio State University
>>
>>
>> Steve Lai, The Ohio State University
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>
>




_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email