OAuth vulnerability

Published: 2009-04-22
Last Updated: 2009-04-23 16:43:11 UTC
by Jason Lam (Version: 1)
2 comment(s)

My friend Jason Kendall pointed to me that OAuth had acknowledged the report of a vulnerability. There are no details on the vulnerability announced yet. It is known that twitter, Yahoo, Google and Netflix and other OAuth providers are all working on the research and mitigation of this vulnerability. We should hear more shortly.

OAuth is an open protocol to allow API access authorization. It's use allow user to grant access on specific user's data to online providers. It is commonly used with OpenID where OpenID provides the authentication and then OAuth gives access to the user's properties and attributes without giving all other information to the provider. One site might want need to know the user's name and age but another should only know the user's name and food preference, Oauth allows such disclosure to happen.

Update: The actual vulnerability detail had been released. The vulnerability is similar to a session fixation vulnerability (it's not session related). The attacker can get a legitimate request token from one site, then entice a victim to click on a link with that token. The link brings the victim to a page for approving access for site to access personal information. The attacker can then finishes the authorization and get access to whatever information was approved to be accessed by the site.

 

Keywords: OAuth
2 comment(s)

Comments

Full details have been released here:

http://oauth.net/advisories/2009-1
Here is a good explanation, and some thoughts on a fix.

http://www.hueniverse.com/hueniverse/2009/04/explaining-the-oauth-session-fixation-attack.html

Diary Archives