Dailydave mailing list archives
Re: OAuth vulnerabilities, and insane partial disclosure people.
From: Matthieu Suiche <msuiche () gmail com>
Date: Thu, 23 Apr 2009 09:49:23 +0200
Dave... You are a very bad guy. http://groups.google.com/group/oauth/browse_thread/thread/20e12ace524dba3?pli=1 "Please do not speculate or publicly discuss the actual details of this or other threats." said Eran Anyway, details are public now: http://www.hueniverse.com/hueniverse/2009/04/explaining-the-oauth-session-fixation-attack.html#more http://oauth.net/advisories/2009-1 -- Matthieu Suiche On Thu, Apr 23, 2009 at 2:40 AM, Michael Eddington <meddington () gmail com> wrote:
Well, one thing that jumps out is the signing of the requests is the only part that truly identifies the consumer to the protected resource, but the signing is optional and up to the consumer to request. Since this is a clear-text protocol that is meant to work over non-SSL'd connections there is no assumption of privacy for any of the tokens in play. See section "9.4 PLAINTEXT" in the 1.0 specification (http://oauth.net/core/1.0) Additionally, the assertion that PLAINTEXT signing is okay if performed over SSL seems bogus since SSL does not provide identify of the client, only server by default, hence anyone could perform an SSL connection and provide the oauth tokens with no signing to impersonate a consumer. Finally, I find it very amusing that the protocol transfers secrets in the clear, for example the oauth_token_secret is provided to the consumer over HTTP response and it not encrypted. Should the secret ever be used by itself to perform signing we will have a problem. Still, I'm not sure if any of these qualifies for a "social engineering attack" as stated in the cnet article. Granted, we should only take there explanation with a grain of salt. mike Dave Aitel wrote:http://news.cnet.com/8301-13577_3-10225103-36.html Apparently OAuth has a vulnerability (which was pretty obvious when Twitter pulled it down without saying why). But, in the spirit of Christmas, they've decided to say there IS a vulnerability, but we're not going to tell you what it is. Anyone care to guess? -dave _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- OAuth vulnerabilities, and insane partial disclosure people. Dave Aitel (Apr 22)
- Re: OAuth vulnerabilities, and insane partial disclosure people. Michael Eddington (Apr 22)
- Re: OAuth vulnerabilities, and insane partial disclosure people. Matthieu Suiche (Apr 23)
- Re: OAuth vulnerabilities, and insane partial disclosure people. Nate Lawson (Apr 24)
- Re: OAuth vulnerabilities, and insane partial disclosure people. Matthieu Suiche (Apr 23)
- Re: OAuth vulnerabilities, and insane partial disclosure people. Michael Eddington (Apr 22)