Announcement Announcement Module
Collapse
No announcement yet.
OAuth1: CSRF / user consent security issues Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • OAuth1: CSRF / user consent security issues

    Hi,

    I'm currently having some issues with the OAuth1 module (trunk version). I'm trying to run the sparklr application, and run into some issues, all involving the user consent/approval.

    My test client gets a request token at /oauth/request_token, which all goes well.

    I then visit /oauth/authorize?oauth_token=<token>, which is looking for a requestToken parameter, and throws an InvalidOAuthTokenException. This causes a destroy of any existing authentication, and a redirect to /oauth/confirm_access (without the token...). Since the token is missing, I can't give consent (and because of the earlier authentication exception, I always have to relogin). If I visit /oauth/confirm_access?oauth_token=<token> manually all works well.

    A much bigger issue though, is that is seems there are not any checks on the /oauth/authorize request. If I visit /oauth/authorize?requestToken=<token> directly, my token is authorized and I'm redirected back to the consumer. An evil consumer could use this to get user tokens without their consent, a _major_ CSRF issue.

    Am I missing something here, or is the user approval flow of the OAuth1 module seriously flawed and a big security risk?
    Last edited by MikeN123; May 2nd, 2012, 08:06 AM.

  • #2
    OAuth1 is not a big priority for me, so unless someone cares enough to look into this you are out of luck in the short term at least. You can raise a JIRA ticket, but the only way to guarantee progress is to submit a fix yourself.

    Comment


    • #3
      Well, before fixing it myself, it would be nice to know if my conclusions are right or if I'm doing something wrong.

      It may also be a good idea to warn users of the security implications, which are huge if there is no validation done by the authorize URL.

      Comment

      Working...
      X