[Openid-specs-ab] 1000 WAYS TO DIE IN MOBILE OAUTH

Adam Dawes adawes at google.com
Wed Aug 10 07:42:29 UTC 2016


I just looked through the deck and it seems that most of these relate to
OAuth2 based auth flows. At the end, one of the recommendations is to adopt
OIDC.

But in our experience, developers also get OIDC wrong far too often. The
thing that is the biggest problem is proper ID token verification (issuer
and audience checks). I really think that the community would be very well
served with excellent open source JWT validation libraries on all major
frameworks/languages. Google would be very interested in working with
others on this problem. Please let me know if you have interest/ideas about
how to improve this.

The other area that concerns me but doesn't seem to be a major issue yet is
clientID spoofing on platforms like iOS. Users don't pay enough attention
to consent screens so spoofing another client is an interesting phishing
vector.

On Tue, Aug 9, 2016 at 10:00 PM, Nat Sakimura via Openid-specs-ab <
openid-specs-ab at lists.openid.net> wrote:

> Just found a briefing in Blackhat 2016 titled “1000 WAYS TO DIE IN MOBILE
> OAUTH”
> <https://www.blackhat.com/us-16/briefings.html#1000-ways-to-die-in-mobile-oauth>
>
>
>
> Says:
>
>
>
> >  (1) all major identity providers, e.g., Facebook, Google and Microsoft,
> have re-purposed OAuth for user authentication;”
>
> > [..snip..]
>
> > “The result is really worrisome: among the 149 applications that use
> OAuth, 89 of them (59.7%) were incorrectly implemented and thus vulnerable.
>
>
>
> Maybe we should dig in.
>
>
>
> --
>
> PLEASE READ :This e-mail is confidential and intended for the
>
> named recipient only. If you are not an intended recipient,
>
> please notify the sender  and delete this e-mail.
>
>
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
>


-- 
Adam Dawes | Sr. Product Manager | adawes at google.com | +1 650-214-2410
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20160810/253d0e49/attachment.html>


More information about the Openid-specs-ab mailing list