Passing the FB token between apps on the device is not a real use of the implicit flow, Facebook may be reusing the pattern in an insecure way.
The NAPPS WG at the OIDF recognized that was insecure a long time ago. We are looking to use the S256 pkce transform to secure similar sorts of on device communication of code between a Oauth proxy on the device and a app. John B. > On Jun 18, 2015, at 12:25 PM, Nat Sakimura <sakim...@gmail.com> wrote: > > Yup. Obviously, PKCE is for Code Flow and do not deal with Implicit flow. > The best bet probably is stop using Implicit flow for passing tokens around > among apps, unless token is capable of being sender confirmed. > > Nat > > 2015-06-18 23:47 GMT+09:00 Bill Mills <wmills_92...@yahoo.com > <mailto:wmills_92...@yahoo.com>>: > PKCE solves a subset of this, but not the general case. It doesn't solve the > FB example in the paper where the FB token is passed between apps locally. > > It is a clear win for the OAuth code flow for example though. > > > > On Thursday, June 18, 2015 7:31 AM, Nat Sakimura <sakim...@gmail.com > <mailto:sakim...@gmail.com>> wrote: > > > Hi OAuthers: > > XARA (Cross App Resource Access) paper was gaining interest here in Japan > today because of the Register article[1]. > I went over the attack description in the full paper [2]. > The paper presents four kinds of vulnerabilities. > Password Stealing (Keychain) > Container Cracking (BundleID check bug on the part of Apple App Store) > IPC Interception (a. WebSocket non-authentication, and b. local oauth > redirect) > Scheme Hijacking > Of those, 3.b and 4 are relevant to us, and we kind of knew them all the way > through. > These are the target attack that PKCE specifically wants to address, and does > address, I believe. > > > [1] > http://www.theregister.co.uk/2015/06/17/apple_hosed_boffins_drop_0day_mac_ios_research_blitzkrieg/ > > <http://www.theregister.co.uk/2015/06/17/apple_hosed_boffins_drop_0day_mac_ios_research_blitzkrieg/> > [2] https://sites.google.com/site/xaraflaws/ > <https://sites.google.com/site/xaraflaws/> > > > > > -- > Nat Sakimura (=nat) > Chairman, OpenID Foundation > http://nat.sakimura.org/ <http://nat.sakimura.org/> > @_nat_en > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org <mailto:OAuth@ietf.org> > https://www.ietf.org/mailman/listinfo/oauth > <https://www.ietf.org/mailman/listinfo/oauth> > > > > > > -- > Nat Sakimura (=nat) > Chairman, OpenID Foundation > http://nat.sakimura.org/ <http://nat.sakimura.org/> > @_nat_en > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth