[OAUTH-WG] XARA vulnerability Paper and PKCE

2015-06-18 Thread Nat Sakimura 
Hi OAuthers:

XARA (Cross App Resource Access) paper was gaining interest here in Japan
today because of the Register article[1].
I went over the attack description in the full paper [2].
The paper presents four kinds of vulnerabilities.

   1. Password Stealing (Keychain)
   2. Container Cracking (BundleID check bug on the part of Apple App Store)
   3. IPC Interception (a. WebSocket non-authentication, and b. local oauth
   redirect)
   4. Scheme Hijacking

Of those, 3.b and 4 are relevant to us, and we kind of knew them all the
way through.
These are the target attack that PKCE specifically wants to address, and
does address, I believe.


[1]
http://www.theregister.co.uk/2015/06/17/apple_hosed_boffins_drop_0day_mac_ios_research_blitzkrieg/
[2] https://sites.google.com/site/xaraflaws/




-- 
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] XARA vulnerability Paper and PKCE

2015-06-18 Thread Bill Mills 
PKCE solves a subset of this, but not the general case.  It doesn't solve the 
FB example in the paper where the FB token is passed between apps locally.
It is a clear win for the OAuth code flow for example though. 


 On Thursday, June 18, 2015 7:31 AM, Nat Sakimura  
wrote:
   

 Hi OAuthers: 
XARA (Cross App Resource Access) paper was gaining interest here in Japan today 
because of the Register article[1]. I went over the attack description in the 
full paper [2]. 
The paper presents four kinds of vulnerabilities.   
   - Password Stealing (Keychain)   

   - Container Cracking (BundleID check bug on the part of Apple App Store)   

   - IPC Interception (a. WebSocket non-authentication, and b. local oauth 
redirect)    

   - Scheme Hijacking
Of those, 3.b and 4 are relevant to us, and we kind of knew them all the way 
through. 
These are the target attack that PKCE specifically wants to address, and does 
address, I believe. 

[1] 
http://www.theregister.co.uk/2015/06/17/apple_hosed_boffins_drop_0day_mac_ios_research_blitzkrieg/[2]
 https://sites.google.com/site/xaraflaws/



-- 
Nat Sakimura (=nat)Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


  ___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] XARA vulnerability Paper and PKCE

2015-06-18 Thread Nat Sakimura 
Yup. Obviously, PKCE is for Code Flow and do not deal with Implicit flow.
The best bet probably is stop using Implicit flow for passing tokens around
among apps, unless token is capable of being sender confirmed.

Nat

2015-06-18 23:47 GMT+09:00 Bill Mills :

> PKCE solves a subset of this, but not the general case.  It doesn't solve
> the FB example in the paper where the FB token is passed between apps
> locally.
>
> It is a clear win for the OAuth code flow for example though.
>
>
>
>   On Thursday, June 18, 2015 7:31 AM, Nat Sakimura 
> wrote:
>
>
> Hi OAuthers:
>
> XARA (Cross App Resource Access) paper was gaining interest here in Japan
> today because of the Register article[1].
> I went over the attack description in the full paper [2].
> The paper presents four kinds of vulnerabilities.
>
>1. Password Stealing (Keychain)
>2. Container Cracking (BundleID check bug on the part of Apple App
>Store)
>3. IPC Interception (a. WebSocket non-authentication, and b. local
>oauth redirect)
>4. Scheme Hijacking
>
> Of those, 3.b and 4 are relevant to us, and we kind of knew them all the
> way through.
> These are the target attack that PKCE specifically wants to address, and
> does address, I believe.
>
>
> [1]
> http://www.theregister.co.uk/2015/06/17/apple_hosed_boffins_drop_0day_mac_ios_research_blitzkrieg/
> [2] https://sites.google.com/site/xaraflaws/
>
>
>
>
> --
> Nat Sakimura (=nat)
> Chairman, OpenID Foundation
> http://nat.sakimura.org/
> @_nat_en
>
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
>


-- 
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] XARA vulnerability Paper and PKCE

2015-06-18 Thread John Bradley 
Passing the FB token between apps on the device is not a real use of the 
implicit flow, Facebook may be reusing the pattern in an insecure way.

The NAPPS WG at the OIDF recognized that was insecure a long time ago.  We are 
looking to use the S256 pkce transform to secure similar sorts of on device 
communication of code between a Oauth proxy on the device and a app.

John B.

> On Jun 18, 2015, at 12:25 PM, Nat Sakimura  wrote:
> 
> Yup. Obviously, PKCE is for Code Flow and do not deal with Implicit flow. 
> The best bet probably is stop using Implicit flow for passing tokens around 
> among apps, unless token is capable of being sender confirmed. 
> 
> Nat
> 
> 2015-06-18 23:47 GMT+09:00 Bill Mills  >:
> PKCE solves a subset of this, but not the general case.  It doesn't solve the 
> FB example in the paper where the FB token is passed between apps locally.
> 
> It is a clear win for the OAuth code flow for example though.
> 
> 
> 
> On Thursday, June 18, 2015 7:31 AM, Nat Sakimura  > wrote:
> 
> 
> Hi OAuthers: 
> 
> XARA (Cross App Resource Access) paper was gaining interest here in Japan 
> today because of the Register article[1]. 
> I went over the attack description in the full paper [2]. 
> The paper presents four kinds of vulnerabilities.
> Password Stealing (Keychain)
> Container Cracking (BundleID check bug on the part of Apple App Store)
> IPC Interception (a. WebSocket non-authentication, and b. local oauth 
> redirect) 
> Scheme Hijacking
> Of those, 3.b and 4 are relevant to us, and we kind of knew them all the way 
> through. 
> These are the target attack that PKCE specifically wants to address, and does 
> address, I believe. 
> 
> 
> [1] 
> http://www.theregister.co.uk/2015/06/17/apple_hosed_boffins_drop_0day_mac_ios_research_blitzkrieg/
>  
> 
> [2] https://sites.google.com/site/xaraflaws/ 
> 
> 
> 
> 
> 
> -- 
> Nat Sakimura (=nat)
> Chairman, OpenID Foundation
> http://nat.sakimura.org/ 
> @_nat_en
> 
> ___
> OAuth mailing list
> OAuth@ietf.org 
> https://www.ietf.org/mailman/listinfo/oauth 
> 
> 
> 
> 
> 
> 
> -- 
> Nat Sakimura (=nat)
> Chairman, OpenID Foundation
> http://nat.sakimura.org/ 
> @_nat_en
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Barry Leiba's Discuss on draft-ietf-oauth-spop-12: (with DISCUSS and COMMENT)

2015-06-18 Thread John Bradley 
Just a FYI, the issue addressed in this draft hit the media this week as a 
result of this paper 
https://drive.google.com/file/d/0BxxXk1d3yyuZOFlsdkNMSGswSGs/view

The attack we have been discussing is in Section 3.4.

John B.
> On Jun 11, 2015, at 5:06 PM, Hannes Tschofenig  
> wrote:
> 
> Sounds good to me, Barry!
> 
> On 06/11/2015 09:10 PM, Barry Leiba wrote:
>>> Ah, got it.  Then it would be good for (4) to say that, maybe just by
 adding to the end, "This mechanism does not protect again the more
 sophisticated attack."  Sound OK?
>> That should be "against", of course, not "again".  I hate tupos.
> 

___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] XARA vulnerability Paper and PKCE

2015-06-18 Thread Bill Mills 
There are other bits of sensitive info that might pass via redirect and be 
intercepted due to the scheme handler insecurity.  It's not just OAuth or other 
such tokens, although they are significant. 


 On Thursday, June 18, 2015 10:25 AM, John Bradley  
wrote:
   

 Passing the FB token between apps on the device is not a real use of the 
implicit flow, Facebook may be reusing the pattern in an insecure way.
The NAPPS WG at the OIDF recognized that was insecure a long time ago.  We are 
looking to use the S256 pkce transform to secure similar sorts of on device 
communication of code between a Oauth proxy on the device and a app.
John B.

On Jun 18, 2015, at 12:25 PM, Nat Sakimura  wrote:
Yup. Obviously, PKCE is for Code Flow and do not deal with Implicit flow. The 
best bet probably is stop using Implicit flow for passing tokens around among 
apps, unless token is capable of being sender confirmed. 
Nat
2015-06-18 23:47 GMT+09:00 Bill Mills :

PKCE solves a subset of this, but not the general case.  It doesn't solve the 
FB example in the paper where the FB token is passed between apps locally.
It is a clear win for the OAuth code flow for example though. 


 On Thursday, June 18, 2015 7:31 AM, Nat Sakimura  
wrote:
   

 Hi OAuthers: 
XARA (Cross App Resource Access) paper was gaining interest here in Japan today 
because of the Register article[1]. I went over the attack description in the 
full paper [2]. 
The paper presents four kinds of vulnerabilities.   
   - Password Stealing (Keychain)   

   - Container Cracking (BundleID check bug on the part of Apple App Store)   

   - IPC Interception (a. WebSocket non-authentication, and b. local oauth 
redirect)    

   - Scheme Hijacking
Of those, 3.b and 4 are relevant to us, and we kind of knew them all the way 
through. 
These are the target attack that PKCE specifically wants to address, and does 
address, I believe. 

[1] 
http://www.theregister.co.uk/2015/06/17/apple_hosed_boffins_drop_0day_mac_ios_research_blitzkrieg/[2]
 https://sites.google.com/site/xaraflaws/



-- 
Nat Sakimura (=nat)Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


   



-- 
Nat Sakimura (=nat)Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth




  ___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth