Thursday, April 23, 2009

Google OAuth Security Flaw

A security vulnerability in the OAuth protocol was announced last night. This is the mechanism we use to have access tokens granted to us for users' Google calendar and contact data. Google has implemented the recommended warning message on their access request page, which reads:

This website is registered with Google to make authorization requests, but has not been configured to send requests securely.If you grant access but you did not initiate this request at, it may be possible for other users of to access your data. We recommend you deny access unless you are certain that you initiated this request directly with

I think the message must have been written on the assumption that a fixed OAuth protocol will be introduced in the future (hence the 'has not been configured...' part). Unfortunately right now that doesn't exist so there's no way for us to 'configure' our service appropriately.
So what does this mean for our users? Having analysed the vulnerability, the bottom line is that you need to be sure that if you ever see that Google page where you grant access, that you were yourself performing the access request. That is, you just came from our site and had just clicked on the 'Request account access' button. The nature of the vulnerability is that someone has to trick you into clicking 'grant access' on that page in response to clicking a link on some other page (not on our site). This is exactly what the alert message on the page says, so basically if you read and understand the page, then you're ok.

Update: There's a good description of the problem in this blog post. It turns out that the attack is not so easy to pull off against our service because we take steps to ensure that the Google id stored in your account matches the data accessed by the Google access token. In general the attacker won't know the victim's Google id and therefore the attack will fail.


Anonymous said...

Interesting! Thanks for the heads-up. By the way, "Google" is a singular noun.

David Boreham said...

Posted that before my first morning espresso. I've fixed the singularity problem.