This seems to be not a problem with OAuth but with misusing OAuth as an 
authentication protocol:

http://oauth.net/articles/authentication/ 
<http://oauth.net/articles/authentication/>

And with trusting unverified claims from a third party IdP (such as a 
self-asserted email address), which is covered in the OpenID Connect 
specification, an authentication protocol built on top of OAuth:

http://openid.net/specs/openid-connect-core-1_0.html#ClaimStability

You should probably let the client know in this case that they should not be 
using the email address as a key if they’re not verifying it themselves. If the 
authentication article can be updated to include this misuse, please help us 
amend it!

 — Justin

> On Apr 20, 2015, at 8:55 PM, mar adrian belen <[email protected]> 
> wrote:
> 
> Some web application are using oauth 2 technology as login alternative , i 
> found a way how can i access client application using unverified email(victim 
> email) on
> 
> oauth oauth provider, if oauth provider allows unverified email to use it's 
> oauth service which can abuse by the attacker, this is possible if the client 
> provider
> 
> directly login the user(using oauth) if his email is already exists on they 
> record.
> 
> 
> * user joe has account on CLIENT A using his email address [email protected] 
> <mailto:[email protected]>, but does not have oauth provider account. 
> attacker knows that.
> 
> * now the attacker create a new oauth provider account using 
> [email protected] <mailto:[email protected]>.
> 
> * because an unverified email can used the oauth provider oauth and the 
> CLIENT A is using oauth provider's oauth as an alternative login, the 
> attacker can now access
> 
> victim's Client  Application(CLIENT A) account using the login alternative  
> function.
> 
> 
> you can try github(oauth provider) and  https://sprint.ly/ 
> <https://sprint.ly/>  (client)
> 
> 
> https://www.dropbox.com/s/jhrgn311i0e28pc/hijackoauthclient_x264.mp4?dl=0 
> <https://www.dropbox.com/s/jhrgn311i0e28pc/hijackoauthclient_x264.mp4?dl=0>_______________________________________________
> OAuth mailing list
> [email protected]
> https://www.ietf.org/mailman/listinfo/oauth

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to