<HTML>
<HEAD>
<TITLE>Does OAuth security vulnerability affect OpenID/OAuth hybrid?</TITLE>
</HEAD>
<BODY>
<FONT FACE="Calibri, Verdana, Helvetica, Arial"><SPAN STYLE='font-size:11pt'>(hijacking thread a bit)<BR>
<BR>
Allen-<BR>
<BR>
If I understand it correctly, the OAuth security issue doesn’t affect the hybrid spec in the same way.<BR>
<BR>
With the OAuth session fixation vulnerability, the problem comes if the attacker does the following:<BR>
<BR>
</SPAN></FONT><OL><LI><FONT FACE="Calibri, Verdana, Helvetica, Arial"><SPAN STYLE='font-size:11pt'>Request a request token by pretending to request access
</SPAN></FONT><LI><FONT FACE="Calibri, Verdana, Helvetica, Arial"><SPAN STYLE='font-size:11pt'>Force the user to go to a url using that request token
</SPAN></FONT><LI><FONT FACE="Calibri, Verdana, Helvetica, Arial"><SPAN STYLE='font-size:11pt'>Muah! Calculate what the return_to url would have been, and use the pre-known request token to gain access to the user’s account info.<BR>
</SPAN></FONT></OL><FONT FACE="Calibri, Verdana, Helvetica, Arial"><SPAN STYLE='font-size:11pt'><BR>
In the OAuth hybrid flow, there is no pre-registered request token; instead, the token is returned, securely, in the URL. It is protected by the fact that OpenID requires the realm to match the return_to, and many providers can require that the Oauth request realm also match the OpenID realm. In this flow, there’s no way for the attacker to intercept the request_token before it makes its way back to the correct user.<BR>
<BR>
Perhaps the problem is more subtle than I understood, but I just want to make sure I’m clear on the issues.<BR>
<BR>
On 5/12/09 9:48 PM, "Allen Tom" <<a href="atom@yahoo-inc.com">atom@yahoo-inc.com</a>> wrote:<BR>
<BR>
</SPAN></FONT><BLOCKQUOTE><FONT FACE="Calibri, Verdana, Helvetica, Arial"><SPAN STYLE='font-size:11pt'>Hi Nat,<BR>
<BR>
Here you go:<BR>
<BR>
<a href="http://step2.googlecode.com/svn/spec/openid_oauth_extension/latest/openid_oauth_extension.html">http://step2.googlecode.com/svn/spec/openid_oauth_extension/latest/openid_oauth_extension.html</a><BR>
<BR>
We might need to revise the spec to not support checkid_immediate for<BR>
the Hybrid flow, becuase auto-issuing OAuth access tokens is probably a<BR>
bad thing, in light of the recent OAuth security issue.<BR>
<BR>
Allen<BR>
<BR>
<BR>
<BR>
<BR>
<BR>
Nat Sakimura wrote:<BR>
> Hi.<BR>
><BR>
> Where can I find the most current version of OpenID / OAuth hybrid spec draft?<BR>
> I would like to look at it to see if I can borrow as much from the<BR>
> draft for what I am thinking right now.<BR>
><BR>
> <BR>
<BR>
_______________________________________________<BR>
specs mailing list<BR>
<a href="specs@openid.net">specs@openid.net</a><BR>
<a href="http://openid.net/mailman/listinfo/specs">http://openid.net/mailman/listinfo/specs</a><BR>
<BR>
</SPAN></FONT></BLOCKQUOTE>
</BODY>
</HTML>