Many thanks! I’ll work to get the word out wider, using this link.

VF Logo Light Green Mix (on Dark BG) for email sig.png

Eve Maler, president and founder
Cell and Signal +1 (425) 345-6756

On Mar 19, 2025, at 8:18 AM, Alec L <alec@identos.ca> wrote:


Thanks,
- Alec

Alec Laws

CTO
Engineering | IDENTOS Inc.
mobilePhone
(647)-822-1529
emailAddress
alec@identos.ca
twitter
linkedin


On Tue, Mar 18, 2025 at 12:47 PM Eve Maler <eve@vennfactory.com> wrote:
Thanks, Alec (and Gabriel!). Is it possible to update the UMA wiki with this information? Thank you.

<VF Logo Light Green Mix (on Dark BG) for email sig.png>

Eve Maler, president and founder
Cell and Signal +1 (425) 345-6756

On Mar 18, 2025, at 7:57 AM, Alec L via WG-UMA <wg-uma@kantarainitiative.org> wrote:

Hi,

This is a notice of an identified vulnerability in the UMA 2 specification. Please refer to the attached documents for full details, including recommended next steps for mitigation if your implementation is affected. 

Many thanks to Gabriel Corona for his efforts in finding, documenting and explaining these issues to us!

Please reach out if you'd like to discuss further,
Best,
- Alec

Am I impacted?
You are probably not impacted if UMA clients only interact with known resource and authorization services.

You might be impacted if the following are true:
* the UMA client is able to start flows with any UMA resource server
* the UMA client is able to start flows with any UMA authorization server
* the authorization server supports open dynamic registration of clients, without any pre-registration process or requirements for the client. In this case, you probably can't be sure that the client isn't a malicious AS



Alec Laws

CTO
Engineering | IDENTOS Inc.
mobilePhone
(647)-822-1529
emailAddress
alec@identos.ca
twitter
linkedin
<malicious-as-disclosure.md><Pass-the-permission-ticket vulnerability-disclosure.md>_______________________________________________
A Community Group mailing list of KantaraInitiative.org
WG-UMA mailing list -- wg-uma@kantarainitiative.org
To unsubscribe send an email to staff@kantarainitiative.org
List archives --  https://mailman.kantarainitiative.org/hyperkitty/list/wg-uma@kantarainitiative.org/
______
Group wiki -- https://kantara.atlassian.net/wiki/spaces/WG-UMA