[OAUTH-WG] Vulnerability in the OAuth2 Mobile flow May lead to access token leakage

John Bradley

2017-01-05 19:54:00 UTC

This is a public list, so it would not be the place if confidentially disclose a vulnerability.

I think Hannes was going to set up a confidential security list.

If it relates to PKCE you can contact myself or Nat as a place to start.

It would be news to me if Facebook was using RFC7636. Likely they accept and ignore the parameters if you were to send it to them.

I know Google has it implemented.

We are finishing work on https://tools.ietf.org/html/draft-ietf-oauth-native-apps, so if you have something relevant to native app security that we are not covering now would be a good time to bring it up.
Myself or William Denniss can be contacted as the editors for that.

Regards
John B.

Hi,
During my tests of the Facebook OAuth2.0 implementation I have discovered a vulnerability which I first thought was due to bad implementation. However, after reporting it to them and analyzing the official specification, including the PKCE standard, I have realized that this attack can be used against any OAuth2.0 current specification. I have encountered this email on http://www.rfc-editor.org/info/rfc7636 <http://www.rfc-editor.org/info/rfc7636> so I have wanted to make sure whether this is the place to securely report this flow (Which may lead to compromise of access tokens on every OAuth2.0 mobile implementation)? And if not, who can I contact about this?
Thanks,
Michael
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth