Re: OAuth vulnerabilities, and insane partial disclosure people.

[Michael Eddington <meddington () gmail com>]

Well, one thing that jumps out is the signing of the requests is the
only part that truly identifies the consumer to the protected resource,
but the signing is optional and up to the consumer to request.  Since
this is a clear-text protocol that is meant to work over non-SSL'd
connections there is no assumption of privacy for any of the tokens in play.

See section "9.4 PLAINTEXT" in the 1.0 specification
(http://oauth.net/core/1.0)

Additionally, the assertion that PLAINTEXT signing is okay if performed
over SSL seems bogus since SSL does not provide identify of the client,
only server by default, hence anyone could perform an SSL connection and
provide the oauth tokens with no signing to impersonate a consumer.

Finally, I find it very amusing that the protocol transfers secrets in
the clear, for example the oauth_token_secret is provided to the
consumer over HTTP response and it not encrypted.  Should the secret
ever be used by itself to perform signing we will have a problem.

Still, I'm not sure if any of these qualifies for a "social engineering
attack" as stated in the cnet article.  Granted, we should only take
there explanation with a grain of salt.

mike

Dave Aitel wrote:
> http://news.cnet.com/8301-13577_3-10225103-36.html
>
> Apparently OAuth has a vulnerability (which was pretty obvious when
> Twitter pulled it down without saying why).  But, in the spirit of
> Christmas, they've decided to say there IS a vulnerability, but we're
> not going to tell you what it is. Anyone care to guess?
>
> -dave
> _______________________________________________
> Dailydave mailing list
> Dailydave () lists immunitysec com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
>   

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave