[Openid-specs-ab] OAuth implementation vulnerability
Matias Woloski
matiasw at gmail.com
Wed May 15 12:32:10 UTC 2013
I wonder if you can mention something about id_token could be used as a
CSRF token when doing a POST either by xhr or through a <form>. If
Stackexchange would have used OpenID Connect (for their own login), they
could have used the id_token on every call (like account linking) instead
of just relying on cookies. Even more, by using id_tokens in the
Authorization header you could do CORS without having to mess with cookies
and cross domains.
In short, OpenID Connect won't prevent the attack to happen, but a nice
side effect of using such "architecture" is a more secure solution across
the board.
On Wed, May 15, 2013 at 4:15 AM, John Bradley <ve7jtb at ve7jtb.com> wrote:
> The attack seems to be about using CSRF to link an account rather than the
> normal login. I need to look at it some more, but I guess the account
> linking code taking a POST without CSRF protection is the underlying cause.
> The Connect state and nonce would not be able to stop this as Connect is
> triggered by the Post before the Connect flow.
>
>
> On 2013-05-15, at 8:20 AM, Mike Jones <Michael.Jones at microsoft.com> wrote:
>
> Can you propose concise security considerations text about the issues
> identified in the post? I’m almost done applying the changes agreed to in
> Mountain View to the specs, so the timing of adding this would be good, in
> terms of letting people review the text before we publish the Implementer’s
> Drafts.****
>
> -- Mike****
>
> *From:* openid-specs-ab-bounces at lists.openid.net [mailto:openid-
> specs-ab-bounces at lists.openid.net] *On Behalf Of *Nat Sakimura
> *Sent:* Tuesday, May 14, 2013 6:33 PM
> *To:* openid-specs-ab at lists.openid.net
> *Subject:* [Openid-specs-ab] OAuth implementation vulnerability****
> ** **
> You guys probably new it, but it is a good read. ****
> ** **
>
> http://webstersprodigy.net/2013/05/09/common-oauth-issue-you-can-use-to-take-over-accounts/
> ****
> ** **
> BTW, perhaps we should add x-frame-options to the spec? ****
> Also, some tightening up in the security considerations? ****
> ** **
> I know that this is really an implementation issues but the magnitude of
> the attack success make me think that perhaps it is a good idea to mention
> them at least. I being probably the one who want to finish the spec the
> most... ****
> ** **
> --
> Nat Sakimura (=nat)****
> Chairman, OpenID Foundation
> http://nat.sakimura.org/
> @_nat_en****
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
>
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130515/1497aff5/attachment.html>
More information about the Openid-specs-ab
mailing list