What security holes were found in OAuth 2.0?

2

Ontém li this text saying that serious security holes were found in OAuth. The content of the text, in particular, makes it seem like you can not even use OAuth. The problem with this is that I'm developing a project that the only plausible authentication and authorization model was provided by OAuth.

In this way, are there really such serious flaws in OAuth as the text states? Specifically, what are these failures that the text refers to? Is there any way to protect against them?

    
asked by anonymous 03.05.2014 / 17:35

1 answer

2

Failure does not exist in the protocol but in the implementation of many OAuth servers.

What happens is that the OAuth protocol redirects the user's browser to the server's authorization page, for example Facebook. Here is a return URL.

Facebook asks the user for permission for the application to access the Facebook API on behalf of the user. Once the user authorizes, Facebook redirects to the return URL.

To prevent user abuses being redirected to an unauthorized site, Facebook checks to see if the return URL is from the domain configured for that application.

However, there are abuse situations that indicate as a return URL one of a page that redirects to another that is not the one the domain had authorized configured, thereby circumventing the verification.

OAuth server, for example Facebook, is the one that has to fix the problem, because in some modes of use the protocol already returns the authorization token directly to the return page without proper verification.

However, if you have an application that uses OAuth to access the API of another site on behalf of your users, someone might abuse your application to access user accounts on the OAuth server as if it were your application .

To avoid this problem, avoid having pages on your site that redirect to arbitrary sites set as a parameter in the URL of the redirecting page.

The problem is more complicated, but this is the simplistic version that I believe you can already understand what precautions should have.

    
04.05.2014 / 09:14