I make and sell BusKill laptop kill cords. Monero is accepted.

https://michaelaltfield.net

  • 11 Posts
  • 11 Comments
Joined 2 years ago
Cake day: June 12th, 2023
  • maltfield@monero.townOPtoCybersecurity@sh.itjust.worksWhy OAuth MUST share access token with 3rd party?!?English
    3·
    9 days ago

    https://blog.doyensec.com/2025/01/30/oauth-common-vulnerabilities.html

    I haven’t seen it. Thanks for sharing!

    afaik, it doesn’t cover this use-case (where the Resource Server [Stripe] just uses the wrong flow – forcing us to expose our access keys to a third party).

    But, curious, it lists 0 attacks for the OAuth Flow that Stripe should be using here = Client Credentials Flow.

    Edit: ahhhhh, this paragraph is elucidating

    The Authorization Code Flow is one of the most widely used OAuth flows in web applications. Unlike the Implicit Flow, which requests the Access Token directly to the Authorization Server, the Authorization Code Flow introduces an intermediary step. In this process, the User Agent first retrieves an Authorization Code, which the application then exchanges, along with the Client Credentials, for an Access Token. This additional step ensures that only the Client Application has access to the Access Token, preventing the User Agent from ever seeing it.

    I confirmed that Stripe is using the Authorization Code Flow

    curl https://connect.stripe.com/oauth/token \
-u sk_test_MgvkTWK1jRG3olSRx9B7Mmxo: \
-d “code”=”ac_123456789” \
-d “grant_type”=”authorization_code”

    …but it does appear to be using the wrong OAuth Flow type. They give the token to us in the end. There’s no need to expose it to a third party.

    So I guess “choosing the wrong flow type” would be a valid addition to the “attacks” section under Authorization Code Flow

  • maltfield@monero.townOPtoCybersecurity@sh.itjust.worksWhy OAuth MUST share access token with 3rd party?!?English
    3·
    8 days ago

    Thanks. It’s a good guess, but that’s not the case.

    The developers confirmed that the only place the OAuth access tokens are stored is on my server. Of course, the dev’s server (which sees the [non-expiring!] access keys for >800,000 Stripe Accounts!) would be a ripe target for someone malicious. But it’s not designed to store the keys there. All subsequent connections to the Stripe API are done directly between my server and Stripe’s server (with no intermediary “platform”). The token is only exposed to the dev server when OAuth flow is first established. Then the dev server (effectively a MITM, by design) sends it down to my server for storing and future use.

    PCI compliance on my server isn’t an issue because all sensitive payment information is tokenized.

    The reason this is done is because Stripe doesn’t allow the redirect during the OAuth flow to be dynamic. It must be a predefined value that’s hard-coded into the app.

    For security purposes, Stripe redirects a user only to a predefined URI.

    That’s why Stripe forces you to expose your access tokens to the developer’s servers.

    I’d still appreciate if someone with more experience with OAuth than me knows if this is common. Seems like a very bad design decision to require users to transmit their bearer tokens through the developer’s servers.

    Update: It looks like you’re describing their “Platform” option. In 2025, there’s 3 “authentication types” for Stripe Apps, as documented here

    1. Platform
    2. OAuth 2.0
    3. Restricted API Keys

    In this case, I’m talking about OAuth 2.0 (Stripe Connect), not “Platform”