Fwd: [Wikitech-l] OAuth and callbacks

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Fwd: [Wikitech-l] OAuth and callbacks

rupert THURNER-2

somebody on this list has an opinion here, like emmanuel, manuel?

rupert

---------- Weitergeleitete Nachricht ----------
Von: "Chris Steipp" <[hidden email]>
Datum: 27.08.2014 20:13
Betreff: [Wikitech-l] OAuth and callbacks
An: "Wikimedia developers" <[hidden email]>

For those who run one of our 76(!) approved OAuth apps, or are using
OAuth extension on their own wiki..

We have a patch [1] from Mitar to allow OAuth apps to pass a
configurable callback during the OAuth handshake. This will probably
make a lot of app author's lives easier, but can also open up a couple
avenues of abuse-- specifically, it's needed for covert redirect
attacks [2]. If OAuth app authors chose loose callback requirements,
which we can assume will happen if we make approvals automatic (bug
65750), and we ever allow public consumers (huggle was asking for that
for a long time), then it would be possible for attackers to abuse our
OAuth setup.

So far, I've been really conservative about how we use OAuth (there
are two other features we would have to enable to make this attack
likely). I'd like to hear other's thoughts about:

* Assuming we implement one or two of: dynamic callbacks, automatic
approval of apps, or public consumers, but not all three, which are
most desired?

* If we do implement all three, we can limit how the callback can
differ from what is registered. I put some suggestions on the gerrit
patch, but would that cause more confusion than help?


[1] - https://gerrit.wikimedia.org/r/153983
[2] - http://tetraph.com/covert_redirect/oauth2_openid_covert_redirect.html

_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

_______________________________________________
http://wikimedia.ch Wikimedia CH website
Wikimediach-l mailing list
https://lists.wikimedia.org/mailman/listinfo/wikimediach-l
Reply | Threaded
Open this post in threaded view
|

Re: Fwd: [Wikitech-l] OAuth and callbacks

Andreas Bürki
What are/might be the consequences for ordinary Users in terms of
privacy and security?


h.

Am 28.08.2014 um 08:21 schrieb rupert THURNER:

> somebody on this list has an opinion here, like emmanuel, manuel?
>
> rupert
>
> ---------- Weitergeleitete Nachricht ----------
> Von: "Chris Steipp" <[hidden email] <mailto:[hidden email]>>
> Datum: 27.08.2014 20:13
> Betreff: [Wikitech-l] OAuth and callbacks
> An: "Wikimedia developers" <[hidden email]
> <mailto:[hidden email]>>
>
> For those who run one of our 76(!) approved OAuth apps, or are using
> OAuth extension on their own wiki..
>
> We have a patch [1] from Mitar to allow OAuth apps to pass a
> configurable callback during the OAuth handshake. This will probably
> make a lot of app author's lives easier, but can also open up a couple
> avenues of abuse-- specifically, it's needed for covert redirect
> attacks [2]. If OAuth app authors chose loose callback requirements,
> which we can assume will happen if we make approvals automatic (bug
> 65750), and we ever allow public consumers (huggle was asking for that
> for a long time), then it would be possible for attackers to abuse our
> OAuth setup.
>
> So far, I've been really conservative about how we use OAuth (there
> are two other features we would have to enable to make this attack
> likely). I'd like to hear other's thoughts about:
>
> * Assuming we implement one or two of: dynamic callbacks, automatic
> approval of apps, or public consumers, but not all three, which are
> most desired?
>
> * If we do implement all three, we can limit how the callback can
> differ from what is registered. I put some suggestions on the gerrit
> patch, but would that cause more confusion than help?
>
>
> [1] - https://gerrit.wikimedia.org/r/153983
> [2] - http://tetraph.com/covert_redirect/oauth2_openid_covert_redirect.html
>
> _______________________________________________
> Wikitech-l mailing list
> [hidden email] <mailto:[hidden email]>
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
>
>
> _______________________________________________
> http://wikimedia.ch Wikimedia CH website
> Wikimediach-l mailing list
> https://lists.wikimedia.org/mailman/listinfo/wikimediach-l
>
--

Andreas Bürki

[hidden email]
S/MIME certificate - SHA1 fingerprint:
ED:A5:F3:60:70:8B:4C:16:44:18:96:AE:67:B9:CA:77:AE:DA:83:11
GnuPG - GPG fingerprint:
5DA7 5F48 25BD D2D7 E488 05DF 5A99 A321 7E42 0227


_______________________________________________
http://wikimedia.ch Wikimedia CH website
Wikimediach-l mailing list
https://lists.wikimedia.org/mailman/listinfo/wikimediach-l

smime.p7s (7K) Download Attachment