Hi All
One of the agenda items for IETF 113 is the device authorization grant flow (aka device code flow), scheduled for Thursday 24 March 2022. Before the meeting, I wanted to share a bit more information for those interested in the topic and also give those who are unable to attend in person an opportunity to participate in the conversation. The Device Authorization Grant Flow (RFC 8682)<https://datatracker.ietf.org/doc/html/rfc8628> solves an important problem by enabling authorization flows on devices that are unable to support a browsers or have limited input capabilities. However, looking back over the past 18-24 months, there have been a number of practical exploits published that use social engineering techniques applied to the device authorization grant flow. The goal of the session at IETF 113 is to discuss the patterns of the exploits that are known and start a conversation on what (if anything) we should do, based on what we are learning. These exploits follow a general man-in-the-middle (MITM) pattern, where the attacker: 1. Initiates the Device Authorization Grant flow on a device under their control, 2. Presents the user code in a context that the end-user is likely to act on (using social engineering techniques), and 3. Once the user grants access, retrieves the access and refresh tokens and uses them to access the user’s resources. Some of the exploits are described here for those interested in more detail: 1. The Art of the Device Code Phish - Boku (0xboku.com)<https://0xboku.com/2021/07/12/ArtOfDeviceCodePhish.html> 2. Microsoft 365 OAuth Device Code Flow and Phishing | Optiv<https://www.optiv.com/insights/source-zero/blog/microsoft-365-oauth-device-code-flow-and-phishing> * optiv/Microsoft365_devicePhish: A proof-of-concept script to conduct a phishing attack abusing Microsoft 365 OAuth Authorization Flow (github.com)<https://github.com/optiv/Microsoft365_devicePhish> 3. Introducing a new phishing technique for compromising Office 365 accounts (o365blog.com)<https://o365blog.com/post/phishing/#new-phishing-technique-device-code-authentication> 4. DEF CON 29 - Jenko Hwong - New Phishing Attacks Exploiting OAuth Authentication Flows - YouTube<https://www.youtube.com/watch?v=9slRYvpKHp4> In terms of a response, there are a few options that come to mind (these are not exhaustive, I would love to see what others have in mind as well): 1. Do nothing: We can choose to leave everything as is. The downside of this is that the lessons we are learning are not getting disseminated or resulting in reduced risks. 2. Update the recommendations: We can document the social engineering exploits and recommend some additional mitigations as well as recommendations in terms of use cases. Although these types of "phishing"/social engineering attacks are called out in the security considerations in RFC 8628 - OAuth 2.0 Device Authorization Grant<https://datatracker.ietf.org/doc/html/rfc8628>, we can add further mitigations to create greater defence in depth. This will help future implementers and may even be useful for future protocols that rely on a similar cross-device authentication and authorization flows. 3. Explore alternatives: Develop, adopt, or evolve new protocols that address the scenario while mitigating or avoiding the risks. Option A does not do much to improve the state of the art. Option B feels like something we can do now, and we may learn something along the way that can help inform Option C, which may be much further down the road and require more research. What other options come to mind? I’m looking forward to the conversation and hearing what others are thinking about this topic. Cheers, Pieter
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
