Update : Latest OAuth2 Hack DOESN'T impact UAA and CloudFoundry


Sree Tummidi
 

Hello All,

There has been some news lately about an OAuth2 Hack which effects billions
of Android Apps. You can get more information here
<http://securityaffairs.co/wordpress/53081/hacking/oauth-2-0-attack.html>

At a high level the exploit relates to OAuth Relying Parties aka
Applications *not validating* the token coming from Identity Providers like
Facebook and Google and in some cases relying on userid as a proof of
authentication instead of the token. It also effects OAuth Authorization
Server implementations which use trivially forgeable tokens like user ids.

Tokens issued by the UAA are either Signed JWT or Opaque strings which can
cannot be derived from known entities like User IDs or Client IDs
The components in Cloud Foundry like the Cloud Controller API validate the
Signature, Issuer and the Audience and *are not vulnerable*.


Thanks,
Sree Tummidi
Staff Product Manager
Identity - Pivotal Cloud Foundry

Join cf-dev@lists.cloudfoundry.org to automatically receive all group messages.