You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
title: "SquarePhish: Advanced phishing tool combines QR codes and OAuth 2.0 device code flow"
194
194
author:
195
195
- name: Kam Talebzadeh
@@ -344,7 +344,7 @@ Device to access a resource (e.g., access to a service). The Device
344
344
Authorization Grant {{RFC8628}} and Client-Initiated Backchannel
345
345
Authentication {{CIBA}} are two examples of popular cross-device authorization flows.
346
346
347
-
In these flows, the Consumption Device and the Authorization Device are not directly connected and there are no technical mechanisms for the Authorization Device and Consumption Device to establish mutual authentication. It is left to the user to decide whether the source of the authorization request (the Consumption Device) should be trusted before they scan a QR code, enter a user code, or accept an authorization request pushed to their Authorization Device. The transfer of the authorization request and context between the Consumption Device and Authorization device is done over an unauthenticated channel. The only mitigation against this unauthenticated channel is the user's judgement.
347
+
In these flows, the Consumption Device and the Authorization Device are not directly connected and there are no technical mechanisms for the Authorization Device and Consumption Device to establish mutual authentication. It is left to the user to decide whether the source of the authorization request (the Consumption Device) should be trusted before they scan a QR code, enter a user code, or accept an authorization request pushed to their Authorization Device. The transfer of the authorization request and context between the Consumption Device and Authorization Device is done over an unauthenticated channel. The only mitigation against this unauthenticated channel is the user's judgement.
348
348
349
349
Cross-Device Consent Phishing (CDCP) attacks exploit the unauthenticated channel
350
350
between the Consumption Device and Authorization Device using social engineering
@@ -354,8 +354,8 @@ user's data.
354
354
Note: This document uses the terms "social engineering" and "phishing" as
355
355
described in the NIST Computer Security Resource Center Glossary {{NISTGlossary}}.
356
356
357
-
Several publications have emerged in the public domain ({{Exploit1}}, {{Exploit2}}, {{Exploit3}}, {{Exploit4}},
358
-
{{Exploit5}}, {{Exploit6}}), describing how the unauthenticated channel can be
357
+
Several publications have emerged in the public domain ({{ARTDCPHISH}}, {{DCFLOWPHISH}}, {{NEWDCPHISH}}, {{DEFCON29}},
358
+
{{DCATTACK}}, {{SQPHISH}}), describing how the unauthenticated channel can be
359
359
exploited using social engineering techniques borrowed from phishing. Unlike traditional
360
360
phishing attacks, these attacks don't harvest credentials. Instead, they skip the
361
361
step of collecting credentials by persuading users to grant authorization using
@@ -1030,7 +1030,7 @@ Note: There are scenarios that require that authorization takes place in a diffe
1030
1030
### Short Lived/Timebound QR or User Codes {#Short-Lived-Timebound-Codes}
1031
1031
The impact of an attack can be reduced by making QR or user codes short lived. If an attacker obtains a short lived code, the duration during which the unauthenticated channel can be exploited is reduced, potentially increasing the cost of a successful attack. This mitigation can be implemented on the authorization server without changes to other system components.
1032
1032
1033
-
**Limitations:** There is a practical limit to how short a user code can be valid due to network latency and user experience limitations (time taken to enter a code, time to complete authentication, or time needed to re-enter codes or re-authenticate due to an error). More sophisticated Cross-Device Consent Phishing attacks counter the effectiveness of short lived codes by convincing a user to respond to a phishing e-mail and only request the QR or user code once the user clicks on the link in the phishing e-mail {{Exploit6}}.
1033
+
**Limitations:** There is a practical limit to how short a user code can be valid due to network latency and user experience limitations (time taken to enter a code, time to complete authentication, or time needed to re-enter codes or re-authenticate due to an error). More sophisticated Cross-Device Consent Phishing attacks counter the effectiveness of short lived codes by convincing a user to respond to a phishing e-mail and only request the QR or user code once the user clicks on the link in the phishing e-mail {{SQPHISH}}.
1034
1034
1035
1035
### One-Time or Limited Use Codes
1036
1036
By enforcing one-time use or limited use of user or QR codes, the authorization server can limit the impact of attacks where the same user code or QR code is sent to multiple victims. One-time use may be achieved by including a nonce or date-stamp in the user code or QR code which is validated by the authorization server when the user scans the QR code against a list of previously issued codes. This mitigation can be implemented on the authorization server without changes to other system components.
@@ -1154,7 +1154,7 @@ Some cross-device protocols are more susceptible to the exploits described in th
1154
1154
A standard to enable authorization on devices with constrained input capabilities (smart TVs, printers, kiosks). In this protocol, the user code or QR code is displayed or made available on the Consumption Device (smart TV) and entered on a second device (e.g., a mobile phone).
1155
1155
1156
1156
#### Susceptibility
1157
-
There are several reports in the public domain outlining how the unauthenticated channel may be exploited to execute a Cross-Device Consent Phishing attack ({{Exploit1}}, {{Exploit2}}, {{Exploit3}}, {{Exploit4}}, {{Exploit5}}, {{Exploit6}}).
1157
+
There are several reports in the public domain outlining how the unauthenticated channel may be exploited to execute a Cross-Device Consent Phishing attack ({{ARTDCPHISH}}, {{DCFLOWPHISH}}, {{NEWDCPHISH}}, {{DEFCON29}}, {{DCATTACK}}, {{SQPHISH}}).
1158
1158
1159
1159
#### Device Capabilities
1160
1160
There are no assumptions in the protocol about underlying capabilities of the device, making it a "least common denominator" protocol that is expected to work on the broadest set of devices and environments.
0 commit comments