Does OAuth security vulnerability affect OpenID/OAuth hybrid?

Allen Tom atom at yahoo-inc.com
Wed May 13 05:06:30 UTC 2009 

Hi Luke,

I don't think there's a session fixation issue with Hybrid, but I 
believe that several individuals raised concerns regarding auto-approval 
of OAuth tokens using regular OAuth, which is essentially the same thing 
as checkid_immediate mode in Hybrid.

Is there really a reason why an RP would need the OAuth token returned 
in a checkid_immediate response if the user had previously authorized 
one on an earlier visit?

Allen


Luke Shepard wrote:
> (hijacking thread a bit)
>
> Allen-
>
> If I understand it correctly, the OAuth security issue doesn't affect 
> the hybrid spec in the same way.
>
> With the OAuth session fixation vulnerability, the problem comes if 
> the attacker does the following:
>
>    1. Request a request token by pretending to request access
>    2. Force the user to go to a url using that request token
>    3. Muah! Calculate what the return_to url would have been, and use
>       the pre-known request token to gain access to the user's account
>       info.
>
>
> In the OAuth hybrid flow, there is no pre-registered request token; 
> instead, the token is returned, securely, in the URL. It is protected 
> by the fact that OpenID requires the realm to match the return_to, and 
> many providers can require that the Oauth request realm also match the 
> OpenID realm. In this flow, there's no way for the attacker to 
> intercept the request_token before it makes its way back to the 
> correct user.
>
> Perhaps the problem is more subtle than I understood, but I just want 
>  to make sure I'm clear on the issues.
>
> On 5/12/09 9:48 PM, "Allen Tom" <atom at yahoo-inc.com> wrote:
>
>     Hi Nat,
>
>     Here you go:
>
>     http://step2.googlecode.com/svn/spec/openid_oauth_extension/latest/openid_oauth_extension.html
>
>     We might need to revise the spec to not support checkid_immediate for
>     the Hybrid flow, becuase auto-issuing OAuth access tokens is
>     probably a
>     bad thing, in light of the recent OAuth security issue.
>
>     Allen
>
>
>
>
>
>     Nat Sakimura wrote:
>     > Hi.
>     >
>     > Where can I find the most current version of OpenID / OAuth
>     hybrid spec draft?
>     > I would like to look at it to see if I can borrow as much from the
>     > draft for what I am thinking right now.
>     >
>     >  
>
>     _______________________________________________
>     specs mailing list
>     specs at openid.net
>     http://openid.net/mailman/listinfo/specs
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20090512/427c7c18/attachment.htm>

More information about the specs mailing list