I think this just falls into the category of never redirect the user to a url that doesn't match one of the preregistered redirect urls (or logout urls for that matter). Any application that has redirects anywhere provides an opportunity for this attack vector, OAuth isn't unique in that way, it just is consistent and documented. And the 2.1 draft is pretty clear on this front:
https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-04#section-4.1.2.1 > If the request fails due to a missing, invalid, or mismatching > redirect URI, or if the client identifier is missing or invalid, the > authorization server SHOULD inform the resource owner of the error > and > *MUST NOT automatically redirect the user agent to the invalid redirect > URI*. I want to call this attack vector "*illegitimate* phishing applications" which is easily blocked by preregistration and/or PARs. And is only a very small subset of phishing attacks with OAuth, of which the larger group is " *legitimate* phishing applications". An app can be registered correctly, and still issue a phishing attack as phishing attacks through OAuth are actually indistinguishable from standard user delegation. There is no way to prevent these without an application review before registration is completed, here's an example that cloned Google apps y creating a fake app called *google defender*: https://www.trendmicro.com/en_us/research/17/d/pawn-storm-abuses-open-authentication-advanced-social-engineering-attacks.html If we can't protect against these latter ones, I hardly think protecting against the former is useful/interesting/valuable. Warren Parad Founder, CTO Secure your user data with IAM authorization as a service. Implement Authress <https://authress.io/>. On Thu, Dec 16, 2021 at 9:05 PM Rifaat Shekh-Yusef <rifaat.s.i...@gmail.com> wrote: > All, > > > An article was recently published discussing some OAuth Redirection > Attacks to try to bypass phishing detection solutions. See the details of > these attacks in the following link: > > > > https://www.proofpoint.com/us/blog/cloud-security/microsoft-and-github-oauth-implementation-vulnerabilities-lead-redirection > > > The article discusses attacks on Microsoft and GitHub, but these attacks > are not unique to these companies. > > The attacks take advantage of how OAuth handles error responses, which > sends responses to the application’s redirect URL. > > I would like to get the thoughts of the working group on these types of > attacks. > > What is the best way to mitigate these attacks? > > Do we need a new approach for handling errors with OAuth? > > Regards, > > Rifaat > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
