Cut and pasted code attack in OAuth 2.0 [RFC6749]

The so called ‘cut and pasted code attack’ also known as ‘Frankenstein Monster Attack’ is an attack that the adversary swaps the ‘code’ in the authorization response with the victim’s ‘code’ that the adversary has gotten hold of somehow. It can be through the Code Phishing attack, or some other attacks. Then, he uses the ‘code’ […]

Code phishing attack on OAuth 2.0 [RFC6749]

Code phishing attack is the attack that the adversary obtains the code and client credentials from the legitimate client and uses them against the honest token endpoint to obtain tokens thereby accessing the protected resources illegitimately. Assumptions There are not much assumptions needed for this attack. The client and the server uses OAuth 2.0 [RFC6749]. The […]

IdP Mix-up Attack on OAuth [RFC6749]

On Sunday 10, 2016, OAuth Security Advisory: Authorization Server Mix-Up was issued. Nov Matake wrote an excellent article about it in Japanese. To help understand the readers of the attack, I am translating the portion of his blog post explaining the attack with his permission, then expand on it. Assumptions The attacker can proxy the non-TLS-protected […]

Happy New Year!

2015 was a hectic year: Bunch of the specs that I have been working on (JWS [RFC7515], JWT [RFC7519], OAuth PKCE [RFC7636], JWK Thumbprint [RFC7638])got published and the work to convert ISO/IEC 29100 Privacy Framework into Japan Industry Standard started. We had OpenID Summit Tokyo 2015 gathering around 500 audience also. (The last time was back in 2011). A book that […]

On the XARA vulnerability on MacOS X and iOS

Just came across this article: Apple CORED: Boffins reveal password-killer 0-days for iOS and OS X, by The Register. Since the news itself did not explain the nature of the attack well enough, I went onto reading the full paper: Xing, Bai, Li, Wang, Chen, Liao: “Unauthorized Cross-App Resource Access on MAC OS X and iOS” […]

JWS, JWT, and others now RFC!

It has taken soooo long [1], but JSON Web Signature (JWS), JSON Web Token (JWT) , together with other JW* suite finally are Standard Track RFC[2] now. They are [RFC7515] and [RFC7519] respectively. For those of you who are not familiar with JWS and JWT: JWS is a digital signature standard for JSON, a JSON version of XML Signature […]