Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

What are the security risks of Implicit flow

Tags:

oauth-2.0

google-oauth

facebook-oauth

oauth2

Implicit flow is considered to be insecure. I'm aware of two problems:

  1. Confused deputy. But to overcome it you just need to check whether access_token was given to your application. Not a big deal.
  2. XSS attack. So if our access_token was stolen via XSS attack, it can be used to make requests (that are part of the scope we originally requested). It sucks but it's hard to steal access_token as most likely we had it only on our login page and didn't store in app state as it's short-living (I guess that's why Implicit workflow does not support refresh tokens).

It doesn't look too bad. Are there any other security vulnerabilities that I'm not aware of?

like image 635
SiberianGuy Avatar asked Feb 01 '17 04:02

SiberianGuy

1 Answers

The correct statement should be

implicit flow is insecure relatively to the code flow.

If an attacker wants to steal user access tokens from an app using code flow, then the attacker has to break into the server network and either uncover the app secret or eavesdrop the network traffic from server to Google (which is HTTPS) to get an hold to the access token.

In the implict flow the access token resides in the browser. In this case there are many other possibilities for an attacker to steal tokens without having to compromise a network.

  • XSS (as you already explained)
  • Confused deputy problem (as you already explained)
  • Session fixation issues (using user A's token in user B's session. https://www.facebook.com/FacebookforDevelopers/videos/10152795636318553/ )
  • redirect_url parameter manipulation
  • (possible) token leakage with referrer header
  • Various phishing and social engineering possibilities to trick the users to leak their access token (easier than asking for their password)

But as you said, it is straightforward to mitigate all those errors if you are a security aware developer. But still there is a chance for these vulnerabilities if you implement the implicit flow. Therefore it might be a good idea if you don't deliver the token to browser and handle the token in a server side component (code flow).

like image 172
SureshAtt Avatar answered Nov 08 '22 21:11

SureshAtt
Sign in to Comment

Related questions

How can I get this Google Login ID Token from this Android app to verify server-side?
Google OAuth 2: response_type error on token request
How do I implement an OAuth2 Authorization_Code Flow in Web Api using OWIN Middleware?
Use Python social auth to only get tokens
php7 oauth illegal memory allocation
Google Calendar API gives 403 error during OAuth even though it seems to grant access
OAuth 2.0 -- What's new? [closed]
Is it possible to get phone number via Google oAuth2?
Google calendar API for PHP simple read-only request to get calendar events
What characters are allowed in an OAuth2 access token?
Google Contacts v3 API & OAuth v2, in Java
Change OWIN Auth Middleware Per Request (Multi-tenant, oauth API keys per tenant)
Facebook Login and OpenID Connect
SSO and REST Api Authentication on multiple Application
Verify the integrity of Google ID token in Ruby
Client ID or Multiple Audiences In JSON Web Token
Has anyone successfully used Azure AD to authenticate users for a Node.js web application?
OAuth2 scope for Google Custom Search API
AFOAuth2Client and refresh token
What's the meaning of SubjectConfirmation in OAuth2 SAML authorization grant?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!