Authentication protocol fixed for two critical issues

Jan 8, 2016 20:14 GMT  ·  By

Three scientists from the University of Trier in Germany carried out a security audit of the OAuth 2.0 protocol and helped OAuth developers patch critical flaws before going public with their research.

The OAuth protocol is a widely used Web protocol, the base of single-sign-on systems like OpenID Connect. The protocol allows users to authenticate on third-party websites with the credentials of another Web service, and later authorize the first site to manage various resources from the second.

In OAuth lingo, the first website is called a relying party while the second service is the identity provider.

Many online services are OAuth providers. The list includes major services like Google, Twitter, Facebook, Microsoft, Yahoo, and so on.

OAuth is a very popular protocol, widely used by many users who rely on it instead of creating a new identity for every new site they register. OAuth allows them to avoid situations where they create too many passwords to remember, and enables them to use a few accounts from different services alone.

As the three researchers discovered during their security audit, the OAuth protocol was vulnerable to two distinct attacks, which they named the 307 Redirect and the IdP Mix-Up (IdP standing for Identity Provider).

The 307 Redirect attack

For the 307 Redirect, attackers must control the service on which the user is trying to log in. Users attempting to authenticate are redirected to the identity provider's website, where they enter their passwords. All of this is normal.

The attack takes place when the identity provider redirects the user back to the malicious website after a successful login.

If the identity provider set up a redirect operation back to the originating website with the 307 HTTP status code (temporary redirect), the attacker would also receive the previous server request, containing the client's username and passwords, used for authentication.

Researchers say that setting up HTTP redirects using the 303, a more generic redirection method, fixes this issue.

The IdP Mix-Up attack

The second attack, called IdP Mix-Up, is what its name hints - a mix-up between two identity providers, one legitimate and one malicious.

IdP Mix-Up can take place via MitM (Man-in-the-Middle) attacks when there's a malicious entity on the victim's network, in the form of an attacker or infected computer.

By sniffing traffic for OAuth authentication requests, attackers can manipulate user requests and fool an identity provider into sending the authorization code or the access token (depending on the OAuth mode) to the MitM attacker. With these details in hand, the attacker can log in using the victim's identity on the host service for which the initial authentication request was started.

Since OAuth is also at the base of the OpenID Connect protocol, OpenID also suffered from the same flaws.

"We have verified both attacks on an actual implementation and reported both attacks, along with propositions for fixes, to the respective working groups for OAuth and OpenID Connect," the researchers said. "The working groups confirmed the attacks and adopted our fixes."

For more details, you can download the 75-page-long A Comprehensive Formal Security Analysis of OAuth 2.0.