Doesn't OAuth 2.0 PKCE Flow open the door to masquerading/phishing attacks?

550 views Asked by At

With OAuth 2.0 PKCE Flow for Installed App (e.g. a desktop app/cli/client library), it seems that nothing is preventing an attacker to:

  1. obtain client_id by using the original app (client_id is public and can be easily copied from browser bar/source code)
  2. make a fake app to mimic original app
  3. use the fake app to seduce the user to grant access and thus obtain a refresh token which essentially means full access within requested scopes

Without PKCE, it's hard to fake an app and obtain a refresh token because that would require an attacker to obtain client_secret. It seems to me that, although PKCE offers security improvements over implicit flow, it makes it so much easier to masquerade authentic apps that use OAuth 2.0?

I'm using googlecloudsdk (gcloud), it seems that it has client_id (and even many client_id/client_secret pairs) hard coded into the source code, which is distributed to the client. I doubt there's anything to stop attackers to fake gcloud and thus gain access to user's GCP environment (for proof, run gcloud auth login and it will show you the url in the console that an attacker needs.) Could anyone clarify/help me to understand what's going on?

2

There are 2 answers

0
Gary Archer On BEST ANSWER

Private URI schemes are probably the best you can do on desktop but are not perfect as you say. It is what I use for my Desktop Code Sample, but ideally I'd also like to resolve the above concern.

For mobile you can use Claimed HTTPS Schemes to solve the problem - see the answer I added to the post sllopis sent.

I would be aware of Updated OAuth 2.1 Guidance for Native Apps - see section 10 - but I don't think you can fully solve this problem.

It is expected that end users are careful about desktop apps they install, to reduce risks for this scenario. Hopefully operating system support will enable better cryptographic options in future.

0
Hounddog On

Just wanted to follow up on this because I had the same question myself, but also answered it myself and I wanted to add something that wasn't said here:

When you set up the application on the oauth2 server, you have to set up a number of redirect_uris, allowed places to return to after authorization is complete. This means that someone who creates a phishing attack like the one you described cannot return to their own app after login, and will never receive the code.

There is a separate attack where you try and return to a legitimate app from an illegitimate app, however this is solved by the inclusion of the state variable.