This seems to be not a problem with OAuth but with misusing OAuth as an authentication protocol:
http://oauth.net/articles/authentication/ <http://oauth.net/articles/authentication/> And with trusting unverified claims from a third party IdP (such as a self-asserted email address), which is covered in the OpenID Connect specification, an authentication protocol built on top of OAuth: http://openid.net/specs/openid-connect-core-1_0.html#ClaimStability You should probably let the client know in this case that they should not be using the email address as a key if they’re not verifying it themselves. If the authentication article can be updated to include this misuse, please help us amend it! — Justin > On Apr 20, 2015, at 8:55 PM, mar adrian belen <[email protected]> > wrote: > > Some web application are using oauth 2 technology as login alternative , i > found a way how can i access client application using unverified email(victim > email) on > > oauth oauth provider, if oauth provider allows unverified email to use it's > oauth service which can abuse by the attacker, this is possible if the client > provider > > directly login the user(using oauth) if his email is already exists on they > record. > > > * user joe has account on CLIENT A using his email address [email protected] > <mailto:[email protected]>, but does not have oauth provider account. > attacker knows that. > > * now the attacker create a new oauth provider account using > [email protected] <mailto:[email protected]>. > > * because an unverified email can used the oauth provider oauth and the > CLIENT A is using oauth provider's oauth as an alternative login, the > attacker can now access > > victim's Client Application(CLIENT A) account using the login alternative > function. > > > you can try github(oauth provider) and https://sprint.ly/ > <https://sprint.ly/> (client) > > > https://www.dropbox.com/s/jhrgn311i0e28pc/hijackoauthclient_x264.mp4?dl=0 > <https://www.dropbox.com/s/jhrgn311i0e28pc/hijackoauthclient_x264.mp4?dl=0>_______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
