Good news, OAuth is almost secure

Boffins turn up a couple of protocol vulns in Facebook's login standard

German boffins believe there are protocol flaws in Facebook's ubiquitous OAuth protocol that render it vulnerable to attack.

The trio, Daniel Fett, Ralf Küsters and Guido Schmitz of the University of Trier, conducted what's known in security circles as a “formal security analysis” on the protocol, and published it at Arxiv here.

While OAuth 2.0 gets a pass-mark on nearly every level, there are two spots where the protocol is weak: redirection handling, and some aspects of how identity providers (IdP) are handled.

The first issue is an attack on an HTTP 307 Temporary Redirect. A malicious site, called a Relying Party in OAuth, can capture user credentials if an IdP uses the wrong HTTP redirection status code.

The protocol problem occurs because the OAuth standard “explicitly permits any HTTP redirect”. This is a mistake, the authors say, because if a 307 code is used, “the user’s browser will send a POST request to RP that contains all form data from the previous request, including the user credentials. Since the RP is run by the attacker, it can use these credentials to impersonate the user”.

Their suggestion, which they say will be adopted, is that only HTTP 303 codes should be permitted in OAuth, since “the 303 redirect is defined unambigiously to drop the body of an HTTP POST request”.

The second vulnerability is one that involves attacking the relying party Website: “the attacker confuses an RP about which IdP the user chose at the beginning of the login/authorisation process in order to acquire an authentication code or access token which can be used to impersonate the user or access user data.”

This is a man-in-the-middle vulnerability: if the attacker can manipulate user data, they can trick the RP into treating it as the IdP the user wants. The fix is to associate IdPs with endpoints.

The attacks also work against OpenID, the researchers write, and both OAuth and the OpenID Connect working groups are working on revising their standards to block the attacks. ®

Similar topics

Other stories you might like

  • Google sours on legacy G Suite freeloaders, demands fee or flee

    Free incarnation of online app package, which became Workplace, is going away

    Google has served eviction notices to its legacy G Suite squatters: the free service will no longer be available in four months and existing users can either pay for a Google Workspace subscription or export their data and take their not particularly valuable businesses elsewhere.

    "If you have the G Suite legacy free edition, you need to upgrade to a paid Google Workspace subscription to keep your services," the company said in a recently revised support document. "The G Suite legacy free edition will no longer be available starting May 1, 2022."

    Continue reading
  • SpaceX Starlink sat streaks now present in nearly a fifth of all astronomical images snapped by Caltech telescope

    Annoying, maybe – but totally ruining this science, maybe not

    SpaceX’s Starlink satellites appear in about a fifth of all images snapped by the Zwicky Transient Facility (ZTF), a camera attached to the Samuel Oschin Telescope in California, which is used by astronomers to study supernovae, gamma ray bursts, asteroids, and suchlike.

    A study led by Przemek Mróz, a former postdoctoral scholar at the California Institute of Technology (Caltech) and now a researcher at the University of Warsaw in Poland, analysed the current and future effects of Starlink satellites on the ZTF. The telescope and camera are housed at the Palomar Observatory, which is operated by Caltech.

    The team of astronomers found 5,301 streaks leftover from the moving satellites in images taken by the instrument between November 2019 and September 2021, according to their paper on the subject, published in the Astrophysical Journal Letters this week.

    Continue reading
  • AI tool finds hundreds of genes related to human motor neuron disease

    Breakthrough could lead to development of drugs to target illness

    A machine-learning algorithm has helped scientists find 690 human genes associated with a higher risk of developing motor neuron disease, according to research published in Cell this week.

    Neuronal cells in the central nervous system and brain break down and die in people with motor neuron disease, like amyotrophic lateral sclerosis (ALS) more commonly known as Lou Gehrig's disease, named after the baseball player who developed it. They lose control over their bodies, and as the disease progresses patients become completely paralyzed. There is currently no verified cure for ALS.

    Motor neuron disease typically affects people in old age and its causes are unknown. Johnathan Cooper-Knock, a clinical lecturer at the University of Sheffield in England and leader of Project MinE, an ambitious effort to perform whole genome sequencing of ALS, believes that understanding how genes affect cellular function could help scientists develop new drugs to treat the disease.

    Continue reading

Biting the hand that feeds IT © 1998–2022