8

In this post: http://technotes.iangreenleaf.com/posts/closing-another-nasty-security-hole-in-oauth.html

Enter your full callback URL(s) in this field. This means you should be providing the entire path, such as https://mysite.com/oauth/callback. Do not use wildcards, and do not use only the domain.

The post calls out that wildcards aren't safe.

Later, the post offers an example that only shows a vulnerability of an arbitrary callback URL.

I wonder why a callback like https://*.mysite.com/oauth/callback would be unsafe. It seems none of the OAuth provider supports it (e.g. Google and Facebook).

Thank you.

Tanin
  • 183
  • 1
  • 5

2 Answers2

4

There are more reasons why this is unsafe:

  • OAuth can be redirected to any subdomain under wildcard potencial leak token and so on Example: If you have just some subdomain and don't own the whole wildcard then the attacker can register other subdomain and make real good phishing attack like login page or serve malicious webpage

  • Each token issued this way will be cross wildcard origin (I don't know how many apps do you have under this wildcard)

  • If you have ssl just for some subdomain user wildcard the MitM attack is easy as I can redirect to non HTTPS web service of yours and obtain token and login as that user

  • Depending on OAuths providers implementation and yours if you have SSL for *.example.com the attacker can still use ..example.com to MitM attack the enduser as the DNS takes this but the. Sure if the OAuth doesn't validate if subdomain of subdomain

Related question: Can someone explain the "Covert Redirect" vulnerability in OAuth and OpenID?

Hrvoje Milković
  • 507
  • 3
  • 6
2

First thing that comes to mind is that subdomain takeover attacks become more powerful. This can also potentially let, say, your hosted helpdesk software at support.example.com generate valid oauth tokens for admin.example.com for privilege escalation.

And, for bonuses, there are folks running on hosting providers that give a subdomain out for free. Thus, if I can generate an oauth token from one, then I can get a token good for anyone else.

Ryan Gooler
  • 759
  • 4
  • 9
  • Thank you for your answer. I understand it now. Most users, I guess, won't be using oauth on multiple subdomains anyway. The one who uses it needs to implement themselves. It's a fair judgement call. – Tanin Sep 25 '18 at 16:10