I guess that would only be an issue if I opened a webview from the app, had the user login to the vulnerable site to login, and then proceeded with the implcit grant attack in an iframe.
Seems like the attack vector is very slim assuming all of the cacheable dynamic data (cookie, localStorage, and indexeddb) are scoped for each page visit separately in my app and the browser app. AJ ONeal On Sun, Apr 5, 2015 at 3:35 PM, AJ ONeal (Home) <[email protected]> wrote: > Isn't it a gaping wide security hole to allow me to steal redirects from > any domain? > > For example, I could start the implicit login strategy for some consumer > (like imgur.com) and set the redirect to be at that domain. Then the > provider (say facebook.com) will check the redirect_uri according to the > security rules of the consumer app (imgur). That security check will pass > and then FxOS will steal the redirect and provide me with the token that > was intended for imgur. > > Shouldn't this be restricted to something like https:// > <<installation-scoped-app-id>>.<<app-id>>.example.com? > > That way I could allow *.<<app-id>>.example.com in the provider settings > for the app and I would not be able to steal redirects. > > I may not have thought it through fully, but I'm working on some oauth > stuff right now where I just implemented domain checking and was > considering possible attacks against browser strategies on various > platforms. > > AJ ONeal > > On Sun, Mar 22, 2015 at 7:24 PM, Andrew Sutherland < > [email protected]> wrote: > >> >> On 03/22/2015 08:54 PM, AJ ONeal (Home) wrote: >> >>> I'm building an OAuth2 browser auth dialog in FxOS 2.0.0 and following >>> the instructions here: >>> >>> https://developer.mozilla.org/en-US/Apps/Build/Manifest#redirects >>> >> >> According to the implementation at https://dxr.mozilla.org/ >> mozilla-central/source/dom/apps/Webapps.jsm#435 your app needs to be >> privileged or certified for the redirect mechanism to be honored. This >> might be the problem. >> >> If not, the email app used redirects without the "browser" privilege when >> it first added gmail oauth2 support. The pull request for that is at >> https://github.com/mozilla-b2g/gaia/pull/23800. We subsequently changed >> to use "browser" like the calendar app so we could clear the cookies (see >> https://bugzilla.mozilla.org/show_bug.cgi?id=1069412#c4) for privacy >> reasons. That bug also includes some other important changes, so don't >> rely on that one pull request for anything more than to look at something >> that worked for redirect purposes :) >> >> The contacts app (under apps/communications) also does oauth2. >> >> Andrew >> > >
_______________________________________________ dev-b2g mailing list [email protected] https://lists.mozilla.org/listinfo/dev-b2g
