Re: [OAUTH-WG] web sso study...
William Mills <wmills@yahoo-inc.com> Tue, 17 April 2012 15:59 UTC
Return-Path: <wmills@yahoo-inc.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2905A21F8566 for <oauth@ietfa.amsl.com>; Tue, 17 Apr 2012 08:59:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.152
X-Spam-Level:
X-Spam-Status: No, score=-17.152 tagged_above=-999 required=5 tests=[AWL=0.446, BAYES_00=-2.599, HTML_MESSAGE=0.001, USER_IN_DEF_WHITELIST=-15]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r6hScAo98VmV for <oauth@ietfa.amsl.com>; Tue, 17 Apr 2012 08:59:30 -0700 (PDT)
Received: from nm18.bullet.mail.ac4.yahoo.com (nm18.bullet.mail.ac4.yahoo.com [98.139.52.215]) by ietfa.amsl.com (Postfix) with SMTP id 6112521F8592 for <oauth@ietf.org>; Tue, 17 Apr 2012 08:59:30 -0700 (PDT)
Received: from [98.139.52.195] by nm18.bullet.mail.ac4.yahoo.com with NNFMP; 17 Apr 2012 15:59:25 -0000
Received: from [98.139.52.174] by tm8.bullet.mail.ac4.yahoo.com with NNFMP; 17 Apr 2012 15:59:25 -0000
Received: from [127.0.0.1] by omp1057.mail.ac4.yahoo.com with NNFMP; 17 Apr 2012 15:59:25 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 694284.16483.bm@omp1057.mail.ac4.yahoo.com
Received: (qmail 64586 invoked by uid 60001); 17 Apr 2012 15:59:25 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo-inc.com; s=ginc1024; t=1334678365; bh=zF+nij9C2liRnBP2Eo/93EzLZ6LLV5S69XAKR5ks4xQ=; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=Y324WlWUGolkojFeiGZvf8HlZ3orMdLPsEZvq53Rj6vPYcnU/IJZN00YdZbzsalI/KeWtQD7TRCFd5UcfY+Z9l1zXu1mmLr1351zt0SprsupekRpOSix/xRZVpVs6hkveZqVS+14TUIU00IJ3C7dhkit7o655S455+u0vc8EeSI=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=ginc1024; d=yahoo-inc.com; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=fmGr4+pX6Ja00kAn1N6v54B5HeGU1Xr8iT4id1pdfE21TkSJJ9u2+P9erGVOFN1qZ8MWlLqaRAcIDsSMyHgFAHiAIj6RjzFfRuteOjYjn6FZZs2W601KnC/CINEy4D80ztpvPOgx3jGNk+WvQM77T5cO+1ldUUSOhNXVdBBzNiI=;
X-YMail-OSG: 26FN7YEVM1k2_SEcdGbckB8zLrQoA9FOTKl0kJd8Mfo5YjK _KlyEGgSCx4hk8MSUYO.SQ2of74SIWoubdVr1k7aJ95b9MpvNhwYg9nzc7a_ 9LjUwKu3MqQBXk0ocAIwqca4.G_alRSznzX3BP0TmIBY19GvNiB2gwj0TCr1 h.TJlN5asoEf5WQULQRbpPUQjP9w58mqNibpu3S7mLg3WFvFYm9tMWEqtjZL _RjEGIoWp_ztNFNSUqurcZkhAZqTc3tCiEAmHgHL2SqeR8n7IKEQiPp_qNgB OW_EEbBXt910pYnORoJY16HAiLG3r8h1HIj_fMUP0kCtzATkuzittTypEnSx z_JmvZktckkZ1QKi6qHUWCYInOpFGyhpkLAxgJ0Q.rpS5psgo2nJxp1heTH1 rID.OZhOhcdPbgu3cpj8zWJISBfjThpk3i3G3eQkZelwGgjQAjD90F1UEvDf a_LWaetJDZ0DhyKXKntnnsTUtkchoLX5pgWj7H34v0sft6TcdKhx.0iIw1PB mv2_bDKYZ.9x856k10D3OVLGTcwWQvWtWW.8wurt6pG0paBGo3Wf9FR8jFR8 Kq4vMmoftLFCuQm6SKNiUllt19pt9SvNlF6fjuj_ldwc17xn0kG3y1a5HqqZ aibBQ15P33oPauGpHdI.bcX0tgbvQgU7msMpwO6ZIe85NAMcP2u9hzpj1HVN 1ZwmvnWFJPUKQ3g_yh986rvYxqMjetf_cktEB_KnXRymqwYEkh1clN6ij9ki Lqrvi_4cyv7GO6BbacJTqLwZmyspl2iSlpFSUJAjhew--
Received: from [209.131.62.115] by web31808.mail.mud.yahoo.com via HTTP; Tue, 17 Apr 2012 08:59:24 PDT
X-RocketYMMF: william_john_mills
X-Mailer: YahooMailWebService/0.8.118.349524
References: <4F8D8208.5040001@cs.tcd.ie> <E459D26C-7FD4-4AEF-9307-FA7A9BD0EE5A@ve7jtb.com>
Message-ID: <1334678364.98662.YahooMailNeo@web31808.mail.mud.yahoo.com>
Date: Tue, 17 Apr 2012 08:59:24 -0700
From: William Mills <wmills@yahoo-inc.com>
To: John Bradley <ve7jtb@ve7jtb.com>, Stephen Farrell <stephen.farrell@cs.tcd.ie>
In-Reply-To: <E459D26C-7FD4-4AEF-9307-FA7A9BD0EE5A@ve7jtb.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="258328648-1156706518-1334678364=:98662"
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] web sso study...
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: William Mills <wmills@yahoo-inc.com>
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Apr 2012 15:59:35 -0000
Yeah, we encountered this problem doing a binding between FB and other accounts. We found that FB actually used a valid browser cookie rather than serving back the needed auth page we wanted for the user. We had to work around this by calling their un-CSRF protected sign-out link first. It's a very real, very bad problem. -bill >________________________________ > From: John Bradley <ve7jtb@ve7jtb.com> >To: Stephen Farrell <stephen.farrell@cs.tcd.ie> >Cc: "oauth@ietf.org" <oauth@ietf.org> >Sent: Tuesday, April 17, 2012 7:57 AM >Subject: Re: [OAUTH-WG] web sso study... > >I posted to my blog about a significant implementation flaw made by people using Facebook's OAuth 2 implementation. > >I understand that Facebook is fixing it in there own code, but many clients are exploitable. > >For those interested. >http://www.thread-safe.com/2012/04/followup-on-oauth-facebook-login.html > >The flaw is not in the spec but in implementations. > >John B. > >On 2012-04-17, at 4:45 PM, Stephen Farrell wrote: > >> >> Hi all, >> >> A recent news article [1] was brought to my attention this week >> that's about a paper [2] which I've just read. While it mostly >> deals with implementation and integration flaws, I'm wondering >> if there's anything in there that could benefit any of the >> oauth drafts. Anyone had a look at that already? >> >> Be interesting if any similar analysis has been done on any >> oauth 1.0 or 2.0 sites or implementations. >> >> Ta, >> S. >> >> [1] http://www.itbusiness.ca/it/client/en/CDN/News.asp?id=66741 >> [2] https://research.microsoft.com/pubs/160659/websso-final.pdf >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > > >_______________________________________________ >OAuth mailing list >OAuth@ietf.org >https://www.ietf.org/mailman/listinfo/oauth > > >
- [OAUTH-WG] web sso study... Stephen Farrell
- Re: [OAUTH-WG] web sso study... John Bradley
- Re: [OAUTH-WG] web sso study... William Mills
- Re: [OAUTH-WG] web sso study... =JeffH