Also, this is not news:
http://securityintelligence.com/spoofedme-social-login-attack-discovered-by-ibm-x-force-researchers/

On Wed, Apr 22, 2015 at 5:02 PM Justin Richer <[email protected]> wrote:

> This seems to be not a problem with OAuth but with misusing OAuth as an
> authentication protocol:
>
> http://oauth.net/articles/authentication/
>
> And with trusting unverified claims from a third party IdP (such as a
> self-asserted email address), which is covered in the OpenID Connect
> specification, an authentication protocol built on top of OAuth:
>
> http://openid.net/specs/openid-connect-core-1_0.html#ClaimStability
>
> You should probably let the client know in this case that they should not
> be using the email address as a key if they’re not verifying it themselves.
> If the authentication article can be updated to include this misuse, please
> help us amend it!
>
>  — Justin
>
> On Apr 20, 2015, at 8:55 PM, mar adrian belen <[email protected]>
> wrote:
>
> Some web application are using oauth 2 technology as login alternative , i
> found a way how can i access client application using unverified
> email(victim email) on
>
> oauth oauth provider, if oauth provider allows unverified email to use
> it's oauth service which can abuse by the attacker, this is possible if the
> client provider
>
> directly login the user(using oauth) if his email is already exists on
> they record.
>
>
> * user joe has account on CLIENT A using his email address
> [email protected], but does not have oauth provider account. attacker
> knows that.
>
> * now the attacker create a new oauth provider account using
> [email protected].
>
> * because an unverified email can used the oauth provider oauth and the
> CLIENT A is using oauth provider's oauth as an alternative login, the
> attacker can now access
>
> victim's Client  Application(CLIENT A) account using the login alternative
>  function.
>
>
> you can try github(oauth provider) and  https://sprint.ly/  (client)
>
>
> https://www.dropbox.com/s/jhrgn311i0e28pc/hijackoauthclient_x264.mp4?dl=0
> _______________________________________________
> OAuth mailing list
> [email protected]
> https://www.ietf.org/mailman/listinfo/oauth
>
>
> _______________________________________________
> OAuth mailing list
> [email protected]
> https://www.ietf.org/mailman/listinfo/oauth
>
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to