I hope the reason of this name will be clear soon.
In a nutshell the section 4.1.3 of the OAuth 2 core specification aka RFC 6749 says:
The client MUST NOT use the authorization code more than once. If an authorization code is used more than once, the authorization server MUST deny the request and SHOULD revoke (when possible) all tokens previously issued based on that authorization code.
Now this is a really simple claim, but it turned out that two major providers as Facebook and Google violated it, until I did report the 'violation'.
For this Facebook decided to reward me with a bug bounty (a while ago) and Google (only) with an honorable mention :(.
Now you might wonder what is so dangerous on violating section 4.1.3 of the spec? Hopefully this thread in the OAuth ietf mailing list will convince you that this can actually be 'dangerous' .
End of story ? Almost, there is some odds and ends :)
Indeed, when Google tried to 'fix' their implementation (after my report) introducing section 4.1.3 I have noticed an interesting behavior of their token endpoint and as turned out I could exploit it.
Indeed while not accepting the authorization code twice the were a bit too verbose on the error message :).
This alone would not be enough to actually exploit it but the token endpoint of Google has an "interesting" behavior.
Indeed the authorization code is on the form TOKEN1.TOKEN2 and only TOKEN1 is validated!!!
Now the attack would look like this:
- register a client id
- obtain an authorization token in the authorization endpoint (https://accounts.google.com/
o/oauth2/auth) e.g. 4/ShttLZGi8w7b0MF5iRsdKBkaBB-6.Qrl8jChpba4TYKs_1NgQtmW51KPvhgI
- now change the authorization code from 4/ShttLZGi8w7b0MF5iRsdKBkaBB-6.Qrl8jChpba4TYKs_1NgQtmW51KPvhgI to 4/ShttLZGi8w7b0MF5iRsdKBkaBB6.Qrl8jChpba4TYKs_1NgQtmW51KPvhgI<script>alert('hello')</script> and ask for an access token
- As said this is going to be a valid authorization code and the access token is received due the fact that the authorization code is of the form TOKEN1.TOKEN2 and only TOKEN1 is validated!!!!!
- So now we have everything to perform the attack :)
- Indeed re-request the access token using the same forged authorization code (namely 4/ShttLZGi8w7b0MF5iRsdKBkaBB6.Qrl8jChpba4TYKs_1NgQtmW51KPvhgI<script>alert('hello')</script>). The authorization code is no longer accepted since the authorization code can be used only once. The interesting part of all this is how the token endpoint answers to this no longer valid authorization code. Indeed the error response looked like this:
|as you can see the output is not sanitized specifically the part 4/ShttLZGi8w7b0MF5iRsdKBkaBB-|
This time (finally) Google actually rewarded me with a bounty :)
Nice catch! I’ve filed a bug asking that HTML special characters be escaped in the JOSN output. I filed this at moderate severity as I don't believe this is exploitable on recent browsers. The response is returned with content type set to application/json and the header X-Content-Type-Options: nosniff is present, which should prevent the browser from interpreting the result as HTML.