MAFA Mistaking AUTHN for AUTHZ

From IIW

Session Topic: MAFA Mistaking AUTHN for AUTHZ

Tuesday 2H

Convener: Alan Karp

Notes-taker: Alan Karp

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

We discussed a simple mistake that should never happen. However, it happens often enough to have been named, Mistaking Authentication for Authorization. It showed up in the non-normative material in the UMA spec, and has been found in several popular password managers. The question is, why does this simple error get through security reviews.

To illustrate the problem, consider a rental car reservation. Somewhere under the covers of the UI, some code says

confNo = carCompany.book(bookingData)

and the UI shows

Confirmation Number: 8376BA

When you want to upgrade to a fullsize car, the user fills in a form specifying the confirmation number and the new car size,

Confirmation Number: 8276BA

Car Size: Full

Under the convers there is code something like

carCompany.changeCar(“8276BA”,”full”)

The error occurs when the system checks the user’s authentication to verify permission to invoke the changeCar method but does not check to see if the user has permission for the specified confirmation number. Notice, the typo in the confirmation number. The result is that the wrong reservation gets changed. See, I said it was a silly error.

Although most of the few attendees at this session disagree, I believe the error happens because the confirmation number designates a protected resource, but it looks like pure data, which makes it easier to miss the access check.

For other reasons, I have been proposing that we treat resources, such as the car reservation, the same way we treat services, such as carCompany. That way the relevant code becomes

confSR = carCompany.book(bookingData)
confSR.changeCar(“full”)

Because we see a method being invoked on confSR, we are more likely to recognize that it is a protected resource and needs an access check.