Hacker News new | comments | ask | show | jobs | submit login
The Most Common OAuth2 Vulnerability (homakov.blogspot.com)
20 points by homakov on July 3, 2012 | hide | past | web | favorite | 3 comments

This is important; while it's not really a general vulnerability, you could run into a lot of trouble if someone's performing a targeted attack. I don't think I'd ever really read anything in any consumer-facing OAuth2 documentation about the important of state, and given the breadth of sites vulnerable to the issue, it seems like a lot of other people don't know about it either.

Patching this in my Rails apps was easy; it's a trivial solution, but I'm leaving it here to demonstrate that it's not a hard fix.

When generating the URL to redirect to for authorization:

  session["#{service}_oauth2_state"] = ActiveSupport::SecureRandom.urlsafe_base64(24)
Then, pass state as a param when generating my OAuth authorization URL.

When the authorizing endpoint returns:

    session_state = session["#{service}_oauth2_state"]
    if params[:state] != session_state or session_state.blank?
      render :text => "Unable to validate login state." and return
It's worth noting that I did have to update Koala (the Facebook API library we're using) to get arbitrary parameters passed through to #url_for_oauth_code. Older versions had a hardcoded list of parameters, which did not include state.

it's not hard to fix, agreed. at the same time it must be fixed in gems, not by developers

By gem developers that is :)

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact