You know, using email address as a verified user identifier is appallingly bad idea. Even if it were verified at the enrollment time, if the mail address was recycled, the original account holder is screwed. It has been known for so many years now and finding that sites still do that makes me sad.
Nat 2015年4月22日(水) 9:22 Thomas Broyer <[email protected]>: > Also, this is not news: > http://securityintelligence.com/spoofedme-social-login-attack-discovered-by-ibm-x-force-researchers/ > > On Wed, Apr 22, 2015 at 5:02 PM Justin Richer <[email protected]> wrote: > >> This seems to be not a problem with OAuth but with misusing OAuth as an >> authentication protocol: >> >> http://oauth.net/articles/authentication/ >> >> And with trusting unverified claims from a third party IdP (such as a >> self-asserted email address), which is covered in the OpenID Connect >> specification, an authentication protocol built on top of OAuth: >> >> http://openid.net/specs/openid-connect-core-1_0.html#ClaimStability >> >> You should probably let the client know in this case that they should not >> be using the email address as a key if they’re not verifying it themselves. >> If the authentication article can be updated to include this misuse, please >> help us amend it! >> >> — Justin >> >> On Apr 20, 2015, at 8:55 PM, mar adrian belen <[email protected]> >> wrote: >> >> Some web application are using oauth 2 technology as login alternative , >> i found a way how can i access client application using unverified >> email(victim email) on >> >> oauth oauth provider, if oauth provider allows unverified email to use >> it's oauth service which can abuse by the attacker, this is possible if the >> client provider >> >> directly login the user(using oauth) if his email is already exists on >> they record. >> >> >> * user joe has account on CLIENT A using his email address >> [email protected], but does not have oauth provider account. attacker >> knows that. >> >> * now the attacker create a new oauth provider account using >> [email protected]. >> >> * because an unverified email can used the oauth provider oauth and the >> CLIENT A is using oauth provider's oauth as an alternative login, the >> attacker can now access >> >> victim's Client Application(CLIENT A) account using the login >> alternative function. >> >> >> you can try github(oauth provider) and https://sprint.ly/ (client) >> >> >> https://www.dropbox.com/s/jhrgn311i0e28pc/hijackoauthclient_x264.mp4?dl=0 >> _______________________________________________ >> OAuth mailing list >> [email protected] >> https://www.ietf.org/mailman/listinfo/oauth >> >> >> _______________________________________________ >> OAuth mailing list >> [email protected] >> https://www.ietf.org/mailman/listinfo/oauth >> > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth >
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
