[Openid-specs-ab] OAuth implementation vulnerability
Axel.Nennker at telekom.de
Axel.Nennker at telekom.de
Wed May 15 14:22:02 UTC 2013
The attack is carried out in steps 4.1 and 4.2:
4. A malicious site does the following:
* Logs victim in to attacker's Facebook by using CSRF on the Login, or by tossing cookies
* POSTs to the account association request
4.1 is the Idp (facebook) who needs CSRF or cookie manipulation protection
4.2 is the "accessing application" (stackoverflow) that needs protection
Two parties might use openid connect: IdP and accessing application. There should be some protection through the signed id_token and nonce inside which might be used a session cookie for both IdP and accessing application.
The security measure to protect the account linkage by asking for the user's password again is good but outside of openid connect.
Maybe this discussion is relevant for accountchooser too?
My guess is that the connect specs are not really relevant for this attack against account linkage.
Maybe a new section in "Running a Login System with an Account Chooser" titled "Adding more accounts to a local user account"
https://docs.google.com/document/pub?id=1O7jyQLb7dW6EnJrFsWZDyh0Yq0aFJU5UJ4i5QzYlTjU
might help?
-Axel
From: openid-specs-ab-bounces at lists.openid.net [mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf Of John Bradley
Sent: Wednesday, May 15, 2013 9:16 AM
To: Mike Jones
Cc: openid-specs-ab at lists.openid.net
Subject: Re: [Openid-specs-ab] OAuth implementation vulnerability
The attack seems to be about using CSRF to link an account rather than the normal login. I need to look at it some more, but I guess the account linking code taking a POST without CSRF protection is the underlying cause. The Connect state and nonce would not be able to stop this as Connect is triggered by the Post before the Connect flow.
On 2013-05-15, at 8:20 AM, Mike Jones <Michael.Jones at microsoft.com<mailto:Michael.Jones at microsoft.com>> wrote:
Can you propose concise security considerations text about the issues identified in the post? I'm almost done applying the changes agreed to in Mountain View to the specs, so the timing of adding this would be good, in terms of letting people review the text before we publish the Implementer's Drafts.
-- Mike
From: openid-specs-ab-bounces at lists.openid.net<mailto:openid-specs-ab-bounces at lists.openid.net> [mailto:openid-specs-ab-bounces at lists.openid.net<mailto:specs-ab-bounces at lists.openid.net>] On Behalf Of Nat Sakimura
Sent: Tuesday, May 14, 2013 6:33 PM
To: openid-specs-ab at lists.openid.net<mailto:openid-specs-ab at lists.openid.net>
Subject: [Openid-specs-ab] OAuth implementation vulnerability
You guys probably new it, but it is a good read.
http://webstersprodigy.net/2013/05/09/common-oauth-issue-you-can-use-to-take-over-accounts/
BTW, perhaps we should add x-frame-options to the spec?
Also, some tightening up in the security considerations?
I know that this is really an implementation issues but the magnitude of the attack success make me think that perhaps it is a good idea to mention them at least. I being probably the one who want to finish the spec the most...
--
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en
_______________________________________________
Openid-specs-ab mailing list
Openid-specs-ab at lists.openid.net<mailto:Openid-specs-ab at lists.openid.net>
http://lists.openid.net/mailman/listinfo/openid-specs-ab
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130515/34a40c6f/attachment.html>
More information about the Openid-specs-ab
mailing list