201612-04

Session fixation attack against the OAuth Request Token approval flow

Background

A session fixation attack was discovered years ago against the OAuth Request Token approval flow in the OAuth 1.0 protocol. In order to fix this issue, the revision A of the protocol was published.

Description

An attacker may craft a malicious link including a Request Token and send it to the victim, who may then approve the use of that token without noticing there is an ongoing attack. The attacker is then able to complete the authorization flow with such token, and access the protected resources that are exposed by the Consumer site as part of its service. If the attacker has an account in the Consumer site, the access may then be persistent.

The oauth module in SimpleSAMLphp makes use of an external OAuth library which is included in the module itself. This library was not compliant with Revision A of the OAuth 1.0 protocol, and therefore was vulnerable to the aforementioned attack.

Affected versions

All SimpleSAMLphp versions before and including 1.14.11.

Impact

Those using the oauth module may be affected by this issue, and therefore access to protected resources may be granted to malicious third parties with the help of legitimate users clicking on a manually crafted URL and approving access unsuspiciously.

Resolution

Upgrade to the latest version.