PayPal proffers patch for OAuth app hack hole

Fee massive takes 2nd take a look at dangerous insects.
Paypal has patched a phishing vulnerability that might permit attackers to thieve any OAuth token for its cost apps and achieve get admission to to accounts.
Adobe device engineer and OAuth wonk Antonio Sanso came upon the token request flaw after messing with redirect URLs.

He discovered PayPal’s authorisation server setup to maintain OAuth token requests by means of the developer Dashboard may well be manipulated to simply accept localhost as a redirect_uri the place tokens will have to be shipped.
Sanso showcased the redirect_uri flaw via changing requests made via the Paypal OAuth demonstration app, which set the true registered redirect_uri to https://demo.appmarsh.com/loginsuccessful&.

https://www.appmarsh.com/signin/authorize?client_id=AdcKahCXxhLAuoIeOotpvizsVOX5k2A0VZGHxZnQHoo1Ap9ChOV0XqPdZXQt&response_type=code&scope=openid%20profile%20e-mail%20deal with%20telephone%20https://uri.appmarsh.com/products and services/paypalattributes%20https://uri.appmarsh.com/products and services/paypalattributes/industry%20https://uri.appmarsh.com/products and services/expresscheckout&redirect_uri=https://demo.appmarsh.com/loginsuccessful&nonce=&newUI=Y

He then inked a DNS access for http://localhost.intothesymmetry.com to seize requests

https://www.appmarsh.com/signin/authorize?client_id=AdcKahCXxhLAuoIeOotpvizsVOX5k2A0VZGHxZnQHoo1Ap9ChOV0XqPdZXQt&response_type=code&scope=openid%20profile%20e-mail%20deal with%20telephone%20https://uri.appmarsh.com/products and services/paypalattributes%20https://uri.appmarsh.com/products and services/paypalattributes/industry%20https://uri.appmarsh.com/products and services/expresscheckout&redirect_uri=http://localhost.intothesymmetry.com/&nonce=&newUI=Y

“So it truly looks as if that even though Paypal did in fact carry out actual matching validation, localhost was once a magic phrase and it override the validation utterly,” Sanso says.
PayPal squashed the worm previous this month after to start with deciding it was once now not a vulnerability in September.
Sanso reported an identical redirect_uri insects to Fb in 2014 to thieve OAuth get admission to tokens.
He says builders the use of OAuth should check in complete actual redirect_uri addresses and not using a 2nd degree redirects to give protection to their apps. ®
Subsidized: Buyer Id and Get admission to Control

Marshmallow

Marshmallow Man, AppMarsh.com blog spiritual leader, has strived to make AppMarsh an independent and free blog from world monetary system. He and his followers are exiled by Google monster.