Update : Latest OAuth2 Hack DOESN'T impact UAA and CloudFoundry
Sree Tummidi
Hello All,
There has been some news lately about an OAuth2 Hack which effects billions of Android Apps. You can get more information here <http://securityaffairs.co/wordpress/53081/hacking/oauth-2-0-attack.html> At a high level the exploit relates to OAuth Relying Parties aka Applications *not validating* the token coming from Identity Providers like Facebook and Google and in some cases relying on userid as a proof of authentication instead of the token. It also effects OAuth Authorization Server implementations which use trivially forgeable tokens like user ids. Tokens issued by the UAA are either Signed JWT or Opaque strings which can cannot be derived from known entities like User IDs or Client IDs The components in Cloud Foundry like the Cloud Controller API validate the Signature, Issuer and the Audience and *are not vulnerable*. Thanks, Sree Tummidi Staff Product Manager Identity - Pivotal Cloud Foundry
|
|