2016-02-18#HTTP 307 Temporary Redirect), identity providers (IdP) inadvertently forward user credentials (ie, username and password) to the relying party (RP) or the attacker. In the second attack, a network attacker can impersonate any victim.
"This severe attack is caused by a logical flaw in the OAuth 2.0 protocol and depends on the presence of malicious identity provider,” the researchers said.
The researchers said that in order to fix this problem, only HTTP 303 codes should be permitted in OAuth, since "the HTTP 303 redirect is defined unambiguously to drop the body of an HTTP POST request.
The second flaw involves an attack on the RP website: "The attacker confuses an RP about which IdP the user chose at the beginning of the login/authorisation process in order to acquire an authentication code or access token which can be used to impersonate the user or access user data." ] The Man-In-The-Middle (MitM) attack enables a hacker to change user data and fool the RP into treating it as the IdP the user wants.
"As a result, the RP sends the Authorization Code or the access token (depending on the OAuth mode) issued by the honest IdP to the attacker, who then can use these values to login at the RP under the user's identity (managed by the honest IdP) or access the user's protected resources at the honest IdP."
The researchers said to fix this, OAuth 2.0 should include the identity of the IdP in the redirect in some form. "More specifically, we propose that RPs provide a unique redirection endpoint for each IdP. Hence, the information which IdP redirected the browser to the RP is encoded in the request and the RP can detect a mismatch."