[Openid-specs-ab] OAuth implementation vulnerability

John Bradley ve7jtb at ve7jtb.com
Wed May 15 07:15:38 UTC 2013 

The attack seems to be about using CSRF to link an account rather than the normal login.  I need to look at it some more, but I guess the account linking code taking a POST without CSRF protection is the underlying cause.   The Connect state and nonce would not be able to stop this as Connect is triggered by the Post before the Connect flow.


On 2013-05-15, at 8:20 AM, Mike Jones <Michael.Jones at microsoft.com> wrote:

> Can you propose concise security considerations text about the issues identified in the post?   I’m almost done applying the changes agreed to in Mountain View to the specs, so the timing of adding this would be good, in terms of letting people review the text before we publish the Implementer’s Drafts.
>  
>                                                             -- Mike
>  
> From: openid-specs-ab-bounces at lists.openid.net [mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf Of Nat Sakimura
> Sent: Tuesday, May 14, 2013 6:33 PM
> To: openid-specs-ab at lists.openid.net
> Subject: [Openid-specs-ab] OAuth implementation vulnerability
>  
> You guys probably new it, but it is a good read. 
>  
> http://webstersprodigy.net/2013/05/09/common-oauth-issue-you-can-use-to-take-over-accounts/
>  
> BTW, perhaps we should add  x-frame-options to the spec? 
> Also, some tightening up in the security considerations? 
>  
> I know that this is really an implementation issues but the magnitude of the attack success make me think that perhaps it is a good idea to mention them at least. I being probably the one who want to finish the spec the most... 
>  
> -- 
> Nat Sakimura (=nat)
> Chairman, OpenID Foundation
> http://nat.sakimura.org/
> @_nat_en
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130515/fbebe9f6/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4507 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130515/fbebe9f6/attachment.p7s>

More information about the Openid-specs-ab mailing list