Interesting to see that Facebook responded by disabling the XSS protection header altogether.
This is another solid example of the lesson: if the user controls it, the input is malicious. Always.
His two most important suggestions are (1) make redirect_uri an exact whitelist instead of allowing pattern-matching and a single domain, and (2) scopes should be set by the user via the provider.
These are both very reasonable adjustments, and could likely be accommodated without too much headache by existing providers. However, they are technically spec-breaking, so this would be more like OAuth 3 than 2.a.
edit: Ahh, I should've looked more closely. This is just his hobby: http://homakov.blogspot.com/p/service.html
In 1000 years your Bender issue will finally be opened.
lol, i don't wanna die until that :(
Definitely interesting with OAuth2 having a 'huge attack surface', I'd love to hear some more about that given how many companies have started using it for securing API access amongst other things.
And nobody listened to him. And he was right.
Some things are too complex to ever be secure and OAuth2 seems to be one of these things.
The lead author and editor, Eran Hammer.
I'm fairly sure most of the flexibility is there to help migrating enterprise and legacy apps to OAuth2. It's not a great approach, though -- enough security disasters and the problems of migrating will simply go away, because the poor rep of the mechanism will mean no migrations are happening.
I'm using OAuth2 for an API, but a small subset of it that doesn't seem to permit the abuse Egor covers -- though I'm going over it with a fine-toothed comb now. XSS vulnerabilities are more subtle than most other hacks, and so the dangers aren't as obvious in a simple review.
I don't support alternative response_types; I don't support dynamic redirect_uri (at the moment, it's completely static; in future we may offer the list option), and the allowed scope for a given client is set during setup -- you can't then request a scope you aren't authorized for, given your client id.
I'm not breaking the spec -- it offers all of these paths as options. You don't have to implement all of the possibilities the spec covers.
The bad thing about the spec is that some of the possible paths are indeed less secure (it even says so in the spec in places...), so the security of your OAuth2 implementation is purely up to your judgement.
The nice thing about good specs is that you benefit from the presumably-better judgement of the folks designing the spec....
Billy Rios (discovered GIFAR) http://xs-sniper.com/blog/
Michal Zalewski (one of the top security researchers in the world, wrote "The Tangled Web", a must-read) http://lcamtuf.blogspot.com
Neal Poole: https://nealpoole.com/blog/
Nir Goldshlager: http://www.nirgoldshlager.com/
Michael Brooks: https://sitewatch.me/en/Blog
Nils Jünemann: http://www.nilsjuenemann.de/
Stefano di Paola (Minded Security): http://blog.mindedsecurity.com/
Root Labs: http://rdist.root.org/
I'm really looking forward to the next article. I've heard talk of OAuth2 as an enterprise authentication mechanism and it's stuff like this that helps keep everyone honest.
That being said I'd much rather be the guy who has 10000 folks banging away at his stack than the one who is never tested. It's hard to know which buckets are leaking until you fill them.
Highly entertaining (and illuminating) article.
what you will do after you discover and disclose all vulnerabilities [or at least the major ones]?
1. I have web site
2. I do not have FB app
3. I have FB page
4. I enable for users "Login with your FB account"
5. I have FB Like button on the web site
Am I vulnerable and if yes, what's the vector/consequences?
To begin with, I don't believe you are vulnerable through this exploit any more. Facebook has fixed this by changing the response in OAuth so that it would no longer trigger the block redirect. In particular:
"Facebook had '1; mode=block' header. Now it's 0; because of us"
Every site using Facebook's OAuth was vulnerable. I don't believe the basic FB like button actually uses OAuth, but using FB as a way to login to your site would.
The vulnerability takes advantage of Chrome's handling of the above response from the server. When it sees that response, it loads a separate page to prevent the request from going through. The problem is this particular page has details about the request, like OAuth credentials in the response, and allows a third party script to have access to details about the request. Once an attacker has access to OAuth credentials, they basically have access to the login credentials for that user (ie as if the user's username and password were compromised)
Any user that is logged in to FB can have their OAuth app credentials compromised if they visited a site running this malicious code.