Torii Vulnerability Disclosure

Security researcher Devin Weaver recently disclosed to us at 201 Created that Torii, the Auth Ember.js addon that we maintain, has a potential security vulnerability. The vulnerability affects all versions of Torii before 0.9.1 and can allow third parties to obtain the provided code and any other parameters passed in the query string of a redirect callback URL from an OAuth provider.

Update May 25 2017: Edited to suggest using v0.9.5 of Torii.

Is Your App Affected?

Your app is only affected if all of the following are true:

  • It uses any Torii OAuth Provider that uses a web redirection flow (such as the OAuth 2.0 Authorization Code Grant flow) that passes sensitive parameters in the the redirect URL query string. This includes all of the built-in OAuth 2 code and OAuth 1 providers. Any Torii provider that requires configuring a redirectUri is potentially affected.
  • It uses a redirectUri that loads your Ember app. This is the Torii default.
  • Your Ember app loads third-party assets (scripts, images or stylesheets).

Your App Is Not Affected If

Your app is not affected if any of the following are true:

  • It doesn’t use any Torii OAuth providers.
  • It uses the facebook-connect provider.
  • It uses the google-oauth2-bearer provider or another provider that passes sensitive data through the URL hash rather than the query string.
  • Your Ember app doesn’t load any third-party assets.
  • You have configured a redirectUri with the OAuth provider that loads a page outside of your Ember app (and that page doesn’t load any third-party assets).

What To Do If Your App is Affected

Take the following steps:

  • Upgrade Torii to version ^0.9.5
  • Change the registered redirectUri at the OAuth provider(s) that you use to be: <YOUR-APP-BASE-URL>/torii/redirect.html
  • Ensure your Ember app’s Torii configuration specifies this new URL for itsredirectUri. Torii 0.9.5 uses this as its default.

If you are unable to upgrade Torii you can host your own static redirect page by copying the HTML and JavaScript from the Torii addon’s public/redirect.html.

Explanation of Vulnerability

For redirect-based OAuth flows, Torii opens a popup window (or iframe) from the app’s main window. The popup window is loaded with the URL for an OAuth provider (e.g. “https://accounts.google.com/o/oauth2/auth”). After the user has logged in with the provider and clicked to allow access, the OAuth provider will redirect the window to your registered redirectUri with a codeparameter appended in the query string.

If the page that it redirects to loads any third-party assets, the browser will fetch those assets and send the current URL in the HTTP referer header, including the sensitive code parameter in the query-string, effectively transmitting this parameter to the third-party server.

Impact of Vulnerability

The code parameter from an OAuth provider can be used by an attacker to replay an OAuth request. Possession of the code by itself does not grant access to a user’s data at the OAuth provider (unlike an OAuth access_token). In order to obtain an access token, your backend must communicate securely, server-to-server, using the obtained code as well as the OAuth provider-issued client id and secret. As a result, possession of the code by itself is usually not sufficient for an attacker to obtain an access token, but by replaying an OAuth request flow, an attacker could trick your backend into associating their OAuth Provider account with a victim’s account. The impact of leaking the code parameter is mitigated somewhat by the fact that the only potential third parties that could view the code are third parties that you have already implicitly trusted (somewhat) by adding their scripts/images/css to your app.

For more detail on relevant security considerations see section 4.4 on the authorization code in RFC 6819, “OAuth 2.0 Threat Model and Security Considerations”.

For additional context on OAuth see this guide to the OAuth 2.0 authorization code grant flow, Aaron Parecki’s OAuth 2 Simplified, and a post I wrote titled Some Surprising Things About OAuth 2.0. A description of this particular type of OAuth vulnerability is described in more detail here.

Responsible Disclosure

We appreciate the efforts of Devin Weaver to responsibly disclose this vulnerability to us and work with us to put together an effective mitigation strategy. As a result of this experience we have also updated Torii’s readme section to have a dedicated Security section. If you discover a vulnerability in Torii please let us know by emailing security@201-created.com. You can encrypt the message with our public key.

A single golf clap? Or a long standing ovation?

By clapping more or less, you can signal to us which stories really stand out.