MAFA Mistaking AUTHN for AUTHZ
Session Topic: MAFA Mistaking AUTHN for AUTHZ
Convener: Alan Karp
Notes-taker: Alan Karp
Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:
We discussed a simple mistake that should never happen. However, it happens often enough to have been named, Mistaking Authentication for Authorization. It showed up in the non-normative material in the UMA spec, and has been found in several popular password managers. The question is, why does this simple error get through security reviews.
To illustrate the problem, consider a rental car reservation. Somewhere under the covers of the UI, some code says
- confNo = carCompany.book(bookingData)
and the UI shows
- Confirmation Number: 8376BA
When you want to upgrade to a fullsize car, the user fills in a form specifying the confirmation number and the new car size,
- Confirmation Number: 8276BA
Car Size: Full
Under the convers there is code something like
The error occurs when the system checks the user’s authentication to verify permission to invoke the changeCar method but does not check to see if the user has permission for the specified confirmation number. Notice, the typo in the confirmation number. The result is that the wrong reservation gets changed. See, I said it was a silly error.
Although most of the few attendees at this session disagree, I believe the error happens because the confirmation number designates a protected resource, but it looks like pure data, which makes it easier to miss the access check.
For other reasons, I have been proposing that we treat resources, such as the car reservation, the same way we treat services, such as carCompany. That way the relevant code becomes
- confSR = carCompany.book(bookingData)
Because we see a method being invoked on confSR, we are more likely to recognize that it is a protected resource and needs an access check.