Search code examples
google-oauthfacebook-oauthoauth-2.0

What are the security risks of Implicit flow


Implicit flow is considered to be insecure. I'm aware of two problems:

  1. Confused deputy. But to overcome it you just need to check whether access_token was given to your application. Not a big deal.
  2. XSS attack. So if our access_token was stolen via XSS attack, it can be used to make requests (that are part of the scope we originally requested). It sucks but it's hard to steal access_token as most likely we had it only on our login page and didn't store in app state as it's short-living (I guess that's why Implicit workflow does not support refresh tokens).

It doesn't look too bad. Are there any other security vulnerabilities that I'm not aware of?


Solution

  • The correct statement should be

    implicit flow is insecure relatively to the code flow.

    If an attacker wants to steal user access tokens from an app using code flow, then the attacker has to break into the server network and either uncover the app secret or eavesdrop the network traffic from server to Google (which is HTTPS) to get an hold to the access token.

    In the implict flow the access token resides in the browser. In this case there are many other possibilities for an attacker to steal tokens without having to compromise a network.

    • XSS (as you already explained)
    • Confused deputy problem (as you already explained)
    • Session fixation issues (using user A's token in user B's session. https://www.facebook.com/FacebookforDevelopers/videos/10152795636318553/ )
    • redirect_url parameter manipulation
    • (possible) token leakage with referrer header
    • Various phishing and social engineering possibilities to trick the users to leak their access token (easier than asking for their password)

    But as you said, it is straightforward to mitigate all those errors if you are a security aware developer. But still there is a chance for these vulnerabilities if you implement the implicit flow. Therefore it might be a good idea if you don't deliver the token to browser and handle the token in a server side component (code flow).