[Openid-specs-ab] 1-click account hijack for anyone using Google sign-in with Gitlab, due to response-type switch + leaking to gitlab-api.arkoselabs.com that has XSS
David Waite
david at alkaline-solutions.com
Tue Jul 25 01:22:54 UTC 2023
If OIDC 1.1 removed implicit, could we not just require PKCE and align with OAuth 2.1 work?
-DW
> On Jul 24, 2023, at 6:01 PM, Nat Sakimura via Openid-specs-ab <openid-specs-ab at lists.openid.net> wrote:
>
> For those of you who are in IETF, hope you are having good time.
> Here is a vulnerability reported by Frans Rosén https://gitlab.com/gitlab-org/gitlab/-/issues/362394
> and https://user-content.gitlab-static.net/36d11caeb269229319a2912b9719ed1d55ec1af9/68747470733a2f2f68312e7365632e6769746c61622e6e65742f612f35616565376137322d643935372d343265652d393631652d3362393436613564323538642f6769746c61622d68696a61636b2e6d7034
> Maybe we should make nonce mandatory in OpenID Connect 1.1.
> Also, stronger recommendations on the use of request objects.
> Best,
>
> Nat Sakimura
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> https://lists.openid.net/mailman/listinfo/openid-specs-ab
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20230724/c4f86670/attachment.html>
More information about the Openid-specs-ab
mailing list