German boffins believe there are protocol flaws in Facebook's ubiquitous OAuth protocol that render it vulnerable to attack.
The trio, Daniel Fett, Ralf Küsters and Guido Schmitz of the University of Trier, conducted what's known in security circles as a “formal security analysis” on the protocol, and published it at Arxiv here.
While OAuth 2.0 gets a pass-mark on nearly every level, there are two spots where the protocol is weak: redirection handling, and some aspects of how identity providers (IdP) are handled.
The first issue is an attack on an HTTP 307 Temporary Redirect. A malicious site, called a Relying Party in OAuth, can capture user credentials if an IdP uses the wrong HTTP redirection status code.
The protocol problem occurs because the OAuth standard “explicitly permits any HTTP redirect”. This is a mistake, the authors say, because if a 307 code is used, “the user’s browser will send a POST request to RP that contains all form data from the previous request, including the user credentials. Since the RP is run by the attacker, it can use these credentials to impersonate the user”.
Their suggestion, which they say will be adopted, is that only HTTP 303 codes should be permitted in OAuth, since “the 303 redirect is defined unambigiously to drop the body of an HTTP POST request”.
The second vulnerability is one that involves attacking the relying party Website: “the attacker confuses an RP about which IdP the user chose at the beginning of the login/authorisation process in order to acquire an authentication code or access token which can be used to impersonate the user or access user data.”
This is a man-in-the-middle vulnerability: if the attacker can manipulate user data, they can trick the RP into treating it as the IdP the user wants. The fix is to associate IdPs with endpoints.
The attacks also work against OpenID, the researchers write, and both OAuth and the OpenID Connect working groups are working on revising their standards to block the attacks. ®