Re: [OAUTH-WG] XARA vulnerability Paper and PKCE

Thu, 18 Jun 2015 11:23:03 -0700 

There are other bits of sensitive info that might pass via redirect and be 
intercepted due to the scheme handler insecurity.  It's not just OAuth or other 
such tokens, although they are significant. 


     On Thursday, June 18, 2015 10:25 AM, John Bradley <ve7...@ve7jtb.com> 
wrote:
   

 Passing the FB token between apps on the device is not a real use of the 
implicit flow, Facebook may be reusing the pattern in an insecure way.
The NAPPS WG at the OIDF recognized that was insecure a long time ago.  We are 
looking to use the S256 pkce transform to secure similar sorts of on device 
communication of code between a Oauth proxy on the device and a app.
John B.

On Jun 18, 2015, at 12:25 PM, Nat Sakimura <sakim...@gmail.com> wrote:
Yup. Obviously, PKCE is for Code Flow and do not deal with Implicit flow. The 
best bet probably is stop using Implicit flow for passing tokens around among 
apps, unless token is capable of being sender confirmed. 
Nat
2015-06-18 23:47 GMT+09:00 Bill Mills <wmills_92...@yahoo.com>:

PKCE solves a subset of this, but not the general case.  It doesn't solve the 
FB example in the paper where the FB token is passed between apps locally.
It is a clear win for the OAuth code flow for example though. 


     On Thursday, June 18, 2015 7:31 AM, Nat Sakimura <sakim...@gmail.com> 
wrote:
   

 Hi OAuthers: 
XARA (Cross App Resource Access) paper was gaining interest here in Japan today 
because of the Register article[1]. I went over the attack description in the 
full paper [2]. 
The paper presents four kinds of vulnerabilities.   
   - Password Stealing (Keychain)   

   - Container Cracking (BundleID check bug on the part of Apple App Store)   

   - IPC Interception (a. WebSocket non-authentication, and b. local oauth 
redirect)    

   - Scheme Hijacking
Of those, 3.b and 4 are relevant to us, and we kind of knew them all the way 
through. 
These are the target attack that PKCE specifically wants to address, and does 
address, I believe. 

[1] 
http://www.theregister.co.uk/2015/06/17/apple_hosed_boffins_drop_0day_mac_ios_research_blitzkrieg/[2]
 https://sites.google.com/site/xaraflaws/



-- 
Nat Sakimura (=nat)Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


   



-- 
Nat Sakimura (=nat)Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth




  
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to