Bypassing GitHub’s OAuth flow | Teddy Katz’s Blog


22 bookmarks. First posted by hellsten 6 days ago.


RT : fun inconsistency in how rails handles HEAD requests led to an OAuth bypass in github:
from twitter
14 hours ago by rjw1
RT : This is a GREAT bug.
from twitter
5 days ago by ciphpercoder
For the past few years, security research has been something I’ve done in my spare time. I know there are people that make a living off of bug bounty programs,…
from instapaper
6 days ago by hiroprot
This is a GREAT bug.
from twitter_favs
6 days ago by connolly
This is a GREAT bug.
from twitter_favs
6 days ago by ndkv
RT : This is a GREAT bug.
from twitter
6 days ago by Xylakant
RT : I wrote a blog post about that time I broke GitHub's OAuth flow
from twitter
6 days ago by acdha
RT : This is a GREAT bug.
from twitter
6 days ago by turkeylurkey
Bypassing GitHub's OAuth flow
authentication  oauth 
6 days ago by kravietz
request, the expected semantics are, “pretend this is a GET request, but only send back response headers without a response body”. This has a few niche uses. For example, a client can send a HEAD request to check the size of a large file (via the Content-Length response header) before deciding whether it wants to start downloading the file.

Naturally, people writing web apps usually don’t want to take the time to implement behavior for HEAD requests. Getting a product that works is...
6 days ago by osamu.fujimoto
What happens if we send an authenticated HEAD request to https://github.com/login/oauth/authorize? We’ve concluded that the router will treat it like a GET request, so it will get sent to the controller. But once it’s there, the controller will realize that it’s not a GET request, and so the request will be handled by the controller as if it was an authenticated POST request. As a result, GitHub will find the OAuth app specified in the request, and grant it access to the authenticated user’s data.

Why is this useful? Well, GitHub’s CSRF protection requires all authenticated POST requests to include a CSRF token. But HEAD requests don’t need a CSRF token, since they’re not supposed to have side-effects. So we can send a cross-site authenticated HEAD request that will give arbitrary OAuth permissions, without showing the user a confirmation page at all.

As a result, if a user visited an attacker’s website, the attacker could arbitrarily read or modify private data in the user’s GitHub account. Here’s a proof-of-concept (which no longer works because the issue has been patched).

I reported this issue to GitHub’s bug bounty program, and they shipped a fix to production in about three hours. I also got a $25000 bounty (!), which at the time was the highest bounty ever from GitHub’s program.
github  head  security  hacking  oauth  bounty 
6 days ago by hellsten