May 2nd, 2012, 07:01 AM
OAuth1: CSRF / user consent security issues
I'm currently having some issues with the OAuth1 module (trunk version). I'm trying to run the sparklr application, and run into some issues, all involving the user consent/approval.
My test client gets a request token at /oauth/request_token, which all goes well.
I then visit /oauth/authorize?oauth_token=<token>, which is looking for a requestToken parameter, and throws an InvalidOAuthTokenException. This causes a destroy of any existing authentication, and a redirect to /oauth/confirm_access (without the token...). Since the token is missing, I can't give consent (and because of the earlier authentication exception, I always have to relogin). If I visit /oauth/confirm_access?oauth_token=<token> manually all works well.
A much bigger issue though, is that is seems there are not any checks on the /oauth/authorize request. If I visit /oauth/authorize?requestToken=<token> directly, my token is authorized and I'm redirected back to the consumer. An evil consumer could use this to get user tokens without their consent, a _major_ CSRF issue.
Am I missing something here, or is the user approval flow of the OAuth1 module seriously flawed and a big security risk?
Last edited by MikeN123; May 2nd, 2012 at 07:06 AM.
May 2nd, 2012, 07:28 AM
OAuth1 is not a big priority for me, so unless someone cares enough to look into this you are out of luck in the short term at least. You can raise a JIRA ticket, but the only way to guarantee progress is to submit a fix yourself.
May 2nd, 2012, 02:00 PM
Well, before fixing it myself, it would be nice to know if my conclusions are right or if I'm doing something wrong.
It may also be a good idea to warn users of the security implications, which are huge if there is no validation done by the authorize URL.