nov/gist:1787579

## gistfile1.txt
Hi Apple security team,

Recently, John Bradley, one of OpenID Connect spec editor, reported an security issue in using OAuth 2.0's "implicit flow (aka. client-side flow)" for user authentication.

The problem with OAuth for Authentication.
http://www.thread-safe.com/2012/01/problem-with-oauth-for-authentication.html

Solutions for using OAuth 2.0 for Authentication
http://www.thread-safe.com/2012/01/solutions-for-using-oauth-20-for.html

Why we need a id_token in openID Connect & Facebook Connect
http://www.thread-safe.com/2012/02/why-we-need-idtoken-in-openid-connect.html

These blog posts don't mention iOS apps, but most major use-case of OAuth 2.0 use-case is in iOS apps.
Especially, apps using Facebook iOS SDK (not only those apps though).

When user pushed "login" button on an such app, Facebook iOS SDK redirect the user to "fb-connect://..." and opens Facebook's  official iOS app.
But in fact, there are no evidence that "fb-connect://" is for Facebook official iOS app.

So let's consider
* if an attacker develops an app which respond for the scheme
* he launches an app using FB iOS SDK and start login flow
* the attacker's app returns a victim's facebook access token which is established for another app (this app doesn't have to be an iOS app at all)...
* the app which received the token will send it to its back-end server and the server will access FB Graph API to get the token owner's user_id.

As a result, the attacker can login as the victim.

The main reason of this security issue is because the backend server didn't notice the access token is established for another app.
There are no security hole in iOS itself.

However, I believe Apple can easily reject those apps just checking this flow using an app respond to "fb-connect://" schema, and let the developer fix his/her backend server code.

If you need further info, I can help you anytime.


Thanks in advance

--
Nov Matake
	Hi Apple security team,

	Recently, John Bradley, one of OpenID Connect spec editor, reported an security issue in using OAuth 2.0's "implicit flow (aka. client-side flow)" for user authentication.

	The problem with OAuth for Authentication.
	http://www.thread-safe.com/2012/01/problem-with-oauth-for-authentication.html

	Solutions for using OAuth 2.0 for Authentication
	http://www.thread-safe.com/2012/01/solutions-for-using-oauth-20-for.html

	Why we need a id_token in openID Connect & Facebook Connect
	http://www.thread-safe.com/2012/02/why-we-need-idtoken-in-openid-connect.html

	These blog posts don't mention iOS apps, but most major use-case of OAuth 2.0 use-case is in iOS apps.
	Especially, apps using Facebook iOS SDK (not only those apps though).

	When user pushed "login" button on an such app, Facebook iOS SDK redirect the user to "fb-connect://..." and opens Facebook's official iOS app.
	But in fact, there are no evidence that "fb-connect://" is for Facebook official iOS app.

	So let's consider
	* if an attacker develops an app which respond for the scheme
	* he launches an app using FB iOS SDK and start login flow
	* the attacker's app returns a victim's facebook access token which is established for another app (this app doesn't have to be an iOS app at all)...
	* the app which received the token will send it to its back-end server and the server will access FB Graph API to get the token owner's user_id.

	As a result, the attacker can login as the victim.

	The main reason of this security issue is because the backend server didn't notice the access token is established for another app.
	There are no security hole in iOS itself.

	However, I believe Apple can easily reject those apps just checking this flow using an app respond to "fb-connect://" schema, and let the developer fix his/her backend server code.

	If you need further info, I can help you anytime.


	Thanks in advance

	--
	Nov Matake