The Most ¤¢¤ê¤Õ¤ì¤¿ OAuth2 Vulnerability

HN discussion
TL;DR
If website uses OAuth multi-logins there is an Ê¿°×¤Ê way to ¥¹¥Ô¡¼¥É¤ò½Ð¤¹¡¿µ­Ï¿¤Ë¤Ä¤±¤ë into somebody's account, Êݸî is almost never ´ï¶ñ¡¿¼Â»Ü¤¹¤ëd and people don't take into account that OAuth is also used for authentication.

OAuth2 is an authorization ÏÈÁȤß. ÌÀ¤é¤«¤Ë it's very popular now. ̵»ë¡Ê¤¹¤ë¡Ës its ¿Íµ¤ a lot of people don't understand it ¿¼¤¯¡¤¶¯Îõ¤Ë enough to Îá¾õ proper and °ÂÁ´¤Ê¡¦Êݾڤ¹¤ë ¼Â»Ü.

OAuth1.a and OAuth2 are Áꤤ¤ì¤Ê¤¤, some services use former(twitter, wtf, come on!), some latter, some of them have insufficient and poor documentation(¡¼¤Ë´Ø¤·¤Æ¡¿¡¼¤ÎÅÀ¤Çs of °ÂÁ´) etc. It took me a few hours to read OAuth2 Áð°Æ ´°Á´¤Ë and I ÀßΩ¤¹¤ë a few Íø±×¡¿¶½Ì£ing vectors. One of them I am exposing in this ÃÏ°Ì¡¤Ç¤Ì¿¤¹¤ë.

It's really dangerous but very ¤¢¤ê¤Õ¤ì¤¿ vulnerability for multi-login OAuth websites. 
A little bit of theory:

• response_type = code is server-Ì£Êý¤¹¤ë auth flow, should be used when possible, more °ÂÁ´¤Ê¡¦Êݾڤ¹¤ë than response_type = µ­Ç°ÉÊ. Provider returns 'code' with »ÈÍѼÔ's »ÈÍѼÔ-¥¹¥Ñ¥¤¡¿¼¹¹Ô´± and ¡ÊÊÛ¸î»Î¤Î¡Ë°ÍÍê¿Í sends along with ¡ÊÊÛ¸î»Î¤Î¡Ë°ÍÍê¿Í's ¿®Ç¤¾õ the code to ÆÀ¤ë 'access_token'. Callback when »ÈÍÑ¼Ô is redirected looks like ¾ì½ê¡¿°ÌÃÖ.com/oauth/callback?code=AQCOtAVov1Cu316rpqPfs-8nDb-jJEiF7aex9n05e2dq3oiXlDwubVoC8VEGNq10rSkyyFb3wKbtZh6xpgG59FsAMMSjIAr613Ly1usZ47jPqADzbDyVuotFaRiQux3g6Ut84nmAf9j-KEvsX0bEPH_aCekLNJ1QAnjpls0SL9ZSK-yw1wPQWQsBhbfMPNJ_LqI
• I remind you, OAuth is all about authorization, not authentication. What's the difference, you might ask. OAuth just gives to ¡ÊÊÛ¸î»Î¤Î¡Ë°ÍÍê¿Í Àܶá to »ÈÍѼÔ's »ñ¸»s on Provider.
  But very often ¡ÊÊÛ¸î»Î¤Î¡Ë°ÍÍê¿Í authenticates you by 'profile_info' »ñ¸», thus we can call it authentication ÏÈÁÈ¤ß either.
  

¾ò·ï for the Àڤ곫¤¯¡¿¥¿¥¯¥·¡¼¡¿ÉÔÀµ¥¢¥¯¥»¥¹: login with OAuth Provider + ability to Äɲ乤ë OAuth Provider logins in settings

Àڤ곫¤¯¡¿¥¿¥¯¥·¡¼¡¿ÉÔÀµ¥¢¥¯¥»¥¹ing, Step-by-step:

• Choose ¡ÊÊÛ¸î»Î¤Î¡Ë°ÍÍê¿Í which ¹µÁÊs Àڤ곫¤¯¡¿¥¿¥¯¥·¡¼¡¿ÉÔÀµ¥¢¥¯¥»¥¹'s "¾ò·ï" - some ¾ì½ê¡¿°ÌÃÖ.com(we will use Pinterest as showcase) Start authentication ²áÄø - click "Äɲ乤ë OAuth Provider login". You need to get callback from Provider but should not visit it. It's ¤ä¤á¤ë difficult - all modern browsers redirect you automatically. I recommend bundle Firefox + NoRedirect ³ÈÄ¥.
  
• Do not visit the last URL(http://pinterest.com/connect/facebook/?code=AQCOtAVov1Cu316rpqPfs-8nDb-jJEiF7aex9n05e2dq3oiXlDwubVoC8VEGNq10rSkyyFb3wKbtZh6xpgG59FsAMMSjIAr613Ly1usZ47jPqADzbDyVuotFaRiQux3g6Ut84nmAf9j-KEvsX0bEPH_aCekLNJ1QAnjpls0SL9ZSK-yw1wPQWQsBhbfMPNJ_LqI#_=_), just save and put it into <img src="URL"> or <iframe> or anything else you prefer to send requests.

• Now all you need is to make the »ÈÍѼÔ(some ³Î¤«¤Ê Ū or ̵ºî°Ù¤Î ¾ì½ê¡¿°ÌÃÖ.com »ÈÍѼÔ) to send HTTP request on your callback URL. You can ·³Ââ him to visit example.com/somepage.html which ´Þ¤à¡¿Éõ¤¸¹þ¤á¤ës <iframe src=URL>, ÃÏ°Ì¡¤Ç¤Ì¿¤¹¤ë <img> on his ʽ¤Ç°Ï¤à, send him an email/tweet, whatever. »ÈÍÑ¼Ô must be logged in ¾ì½ê¡¿°ÌÃÖ.com when he sends the request.
  °æ¸Í¡¿ÊÛ¸î»ÎÀÊ done, your oauth account is Âç¡Ê¸ø¡Ë»È´Û°÷d to »ÈÍѼÔ's account on ¾ì½ê¡¿°ÌÃÖ.com.
• Voila, °µÎϡʤò¤«¤±¤ë¡Ë ¥¹¥Ô¡¼¥É¤ò½Ð¤¹¡¿µ­Ï¿¤Ë¤Ä¤±¤ë In with that OAuth Provider - you are logged in ľÀÜ¡¿¤Þ¤Ã¤¹¤°¤Ë to »ÈÍѼÔ's account on ¾ì½ê¡¿°ÌÃÖ.com.
  
  Enjoy: read »äŪ¤Ê messages, ÃÏ°Ì¡¤Ç¤Ì¿¤¹¤ë comments, change »Ùʧ¤¤¡Ê³Û¡Ë ¾ÜºÙ¡Ê¤Ë½Ò¤Ù¤ë¡Ës, have lulz, whatever. In fact account is yours now.
  
  After you had enough fun you can just Disconnect that OAuth Provider and ¥¹¥Ô¡¼¥É¤ò½Ð¤¹¡¿µ­Ï¿¤Ë¤Ä¤±¤ë out. Nobody will have an idea what has happened, you left no »ØÌæs!

How to ¡Ê°­»ö¡¤ÈëÌ©¤Ê¤É¤ò¡Ëȯ¸«¤¹¤ë, is ³Î¤«¤Ê OAuth ¼Â»Ü ¹¶·â¤ò¼õ¤±¤ä¤¹¤¤?

If ¾ì½ê¡¿°ÌÃÖ doesn't send 'ÌÀ¸À¤¹¤ë¡¿¸øɽ¤¹¤ë' param and redirect_uri param is static and doesn't ´Þ¤à¡¿Éõ¤¸¹þ¤á¤ë any ̵ºî°Ù¤Î hashes - it's ¹¶·â¤ò¼õ¤±¤ä¤¹¤¤.
I know at least 10+ popular ¹¶·â¤ò¼õ¤±¤ä¤¹¤¤ ¾ì½ê¡¿°ÌÃÖs: e.g. pinterest, digg, soundcloud, snip.it, bit.ly, stumbleupon etc. If you know more ¾ì½ê¡¿°ÌÃÖs - please ¸º¾¯¡Ê¤¹¤ë¡Ë me a line at homakov@gmail.com
Also all Rails + Omniauth are ¹¶·â¤ò¼õ¤±¤ä¤¹¤¤. Have fun(about 23,300 results)

updates:

• ľ¤¹¡¿Çã¼ý¤¹¤ë¡¤È¬É´Ä¹¤ò¤¹¤ëd for django https://github.com/omab/django-social-auth/ÌäÂ꡿ȯ¹Ô¤¹¤ës/386
• ľ¤¹¡¿Çã¼ý¤¹¤ë¡¤È¬É´Ä¹¤ò¤¹¤ëd in omniauth https://github.com/intridea/omniauth/ÌäÂ꡿ȯ¹Ô¤¹¤ës/612
• Êó¹ð¡Ê¤¹¤ë¡Ë¡¿²±Â¬d and ľ¤¹¡¿Çã¼ý¤¹¤ë¡¤È¬É´Ä¹¤ò¤¹¤ëd in soundcloud.com
• checking public libraries..

Mitigation:
You are supposed to send special optional param 'ÌÀ¸À¤¹¤ë¡¿¸øɽ¤¹¤ë' - any ̵ºî°Ù¤Î hash you get »Ù±ç¤¹¤ë by Provider in »ÈÍѼÔ's callback: ?code=123&ÌÀ¸À¤¹¤ë¡¿¸øɽ¤¹¤ë=HASH. Before Äɲ乤ëing OAuth account you MUST Ω¾Ú¤¹¤ë ³«²ñ¡¿³«Äî¡¿²ñ´ü[ÌÀ¸À¤¹¤ë¡¿¸øɽ¤¹¤ë] is equal params[ÌÀ¸À¤¹¤ë¡¿¸øɽ¤¹¤ë].
Classic: Insecure-by-default means insecure. Âç¿¿ô of developers don't use it at all - nobody »Ùʧ¤¦¡¿Ä¶âs for "optional" weird param :trollface:
MUST READ SECTION.

Notices:

• $_SESSION['ÌÀ¸À¤¹¤ë¡¿¸øɽ¤¹¤ë'] == $_REQUEST['ÌÀ¸À¤¹¤ë¡¿¸øɽ¤¹¤ë'] is ¹¶·â¤ò¼õ¤±¤ä¤¹¤¤ code, was used a while ago in FB examples. Emtpy string equals empty string.
• I recommend you to filter 'code' in ¥¹¥Ô¡¼¥É¤ò½Ð¤¹¡¿µ­Ï¿¤Ë¤Ä¤±¤ës config.filter_parameters += [:code]
• ÌÀ¸À¤¹¤ë¡¿¸øɽ¤¹¤ë should not be equal form_authenticity_token(³«²ñ¡¿³«Äî¡¿²ñ´ü[:csrf_token]) in rails
• if you ´ï¶ñ¡¿¼Â»Ü¤¹¤ëd response_type=µ­Ç°ÉÊ flow w/o FB JS library, it's most likely ¹¶·â¤ò¼õ¤±¤ä¤¹¤¤ too.

At the moment I am working on "OAuth2 °ÂÁ´ Äó°Æ". The Äó°Æ ÌÜŪ¡Ê¤È¤¹¤ë¡Ës to make OAuth2 safer by changing its À¯ºös, »ÙÇÛ¤¹¤ës and workflows. Most of the points are supposed to be backwards ξΩ¤Ç¤­¤ë but some of them are ¤ä¤á¤ë difficult to ŬÍѤ¹¤ë. Stay tuned, I am publishing it in a few days.