[Openid-specs-ab] Fwd: [OAUTH-WG] OAuth Redirection Attacks
Filip Skokan
panva.ip at gmail.com
Thu Dec 16 20:17:25 UTC 2021
This is as much a topic for Connect as it is for OAuth 2.0/2.1, forwarding
to ensure the relevant working groups don't miss this.
Best,
Filip
---------- Forwarded message ---------
From: Rifaat Shekh-Yusef <rifaat.s.ietf at gmail.com>
Date: Thu, 16 Dec 2021 at 21:04
Subject: [OAUTH-WG] OAuth Redirection Attacks
To: oauth <oauth at ietf.org>
All,
An article was recently published discussing some OAuth Redirection Attacks
to try to bypass phishing detection solutions. See the details of these
attacks in the following link:
https://www.proofpoint.com/us/blog/cloud-security/microsoft-and-github-oauth-implementation-vulnerabilities-lead-redirection
The article discusses attacks on Microsoft and GitHub, but these attacks
are not unique to these companies.
The attacks take advantage of how OAuth handles error responses, which
sends responses to the application’s redirect URL.
I would like to get the thoughts of the working group on these types of
attacks.
What is the best way to mitigate these attacks?
Do we need a new approach for handling errors with OAuth?
Regards,
Rifaat
_______________________________________________
OAuth mailing list
OAuth at ietf.org
https://www.ietf.org/mailman/listinfo/oauth
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20211216/ce4dd82a/attachment.html>
More information about the Openid-specs-ab
mailing list