Security Notification: Pass the permission ticket vulnerability
Hi, This is a notice of an identified vulnerability in the UMA 2 specification. Please refer to the attached documents for full details, including recommended next steps for mitigation if your implementation is affected. Many thanks to Gabriel Corona for his efforts in finding, documenting and explaining these issues to us! Please reach out if you'd like to discuss further, Best, - Alec *Am I impacted?* You are probably not impacted if UMA clients only interact with known resource and authorization services. You might be impacted if the following are true: * the UMA client is able to start flows with any UMA resource server * the UMA client is able to start flows with any UMA authorization server * the authorization server supports open dynamic registration of clients, without any pre-registration process or requirements for the client. In this case, you probably can't be sure that the client isn't a malicious AS Alec Laws CTO Engineering | IDENTOS Inc. [image: mobilePhone] (647)-822-1529 [image: emailAddress] alec@identos.ca [image: twitter] <https://twitter.com/identos_inc> [image: linkedin] <https://www.linkedin.com/company/identos-inc/>
Thanks, Alec (and Gabriel!). Is it possible to update the UMA wiki with this information? Thank you. [VF Logo Light Green Mix (on Dark BG) for email sig.png] Eve Maler, president and founder Cell and Signal +1 (425) 345-6756<tel:+1-425-345-6756> On Mar 18, 2025, at 7:57 AM, Alec L via WG-UMA <wg-uma@kantarainitiative.org> wrote: Hi, This is a notice of an identified vulnerability in the UMA 2 specification. Please refer to the attached documents for full details, including recommended next steps for mitigation if your implementation is affected. Many thanks to Gabriel Corona for his efforts in finding, documenting and explaining these issues to us! Please reach out if you'd like to discuss further, Best, - Alec Am I impacted? You are probably not impacted if UMA clients only interact with known resource and authorization services. You might be impacted if the following are true: * the UMA client is able to start flows with any UMA resource server * the UMA client is able to start flows with any UMA authorization server * the authorization server supports open dynamic registration of clients, without any pre-registration process or requirements for the client. In this case, you probably can't be sure that the client isn't a malicious AS Alec Laws CTO Engineering | IDENTOS Inc. [mobilePhone] (647)-822-1529<tel:(647)-822-1529> [emailAddress] alec@identos.ca<mailto:alec@identos.ca> [https://uploads-ssl.webflow.com/650c9dbaffb52efc03fda0ca/656f37e5c28b666130f...] [twitter]<https://twitter.com/identos_inc> [linkedin]<https://www.linkedin.com/company/identos-inc/> <malicious-as-disclosure.md><Pass-the-permission-ticket vulnerability-disclosure.md>_______________________________________________ A Community Group mailing list of KantaraInitiative.org WG-UMA mailing list -- wg-uma@kantarainitiative.org To unsubscribe send an email to staff@kantarainitiative.org List archives -- https://mailman.kantarainitiative.org/hyperkitty/list/wg-uma@kantarainitiati... ______ Group wiki -- https://kantara.atlassian.net/wiki/spaces/WG-UMA
Great suggestion! The information is now available on this page: https://kantara.atlassian.net/wiki/spaces/uma/pages/932413451/Security+Notic... Thanks, - Alec Alec Laws CTO Engineering | IDENTOS Inc. [image: mobilePhone] (647)-822-1529 [image: emailAddress] alec@identos.ca [image: twitter] <https://twitter.com/identos_inc> [image: linkedin] <https://www.linkedin.com/company/identos-inc/> On Tue, Mar 18, 2025 at 12:47 PM Eve Maler <eve@vennfactory.com> wrote:
Thanks, Alec (and Gabriel!). Is it possible to update the UMA wiki with this information? Thank you.
[image: VF Logo Light Green Mix (on Dark BG) for email sig.png]
Eve Maler, president and founder Cell and Signal +1 (425) 345-6756 <+1-425-345-6756>
On Mar 18, 2025, at 7:57 AM, Alec L via WG-UMA < wg-uma@kantarainitiative.org> wrote:
Hi,
This is a notice of an identified vulnerability in the UMA 2 specification. Please refer to the attached documents for full details, including recommended next steps for mitigation if your implementation is affected.
Many thanks to Gabriel Corona for his efforts in finding, documenting and explaining these issues to us!
Please reach out if you'd like to discuss further, Best, - Alec
*Am I impacted?* You are probably not impacted if UMA clients only interact with known resource and authorization services.
You might be impacted if the following are true: * the UMA client is able to start flows with any UMA resource server * the UMA client is able to start flows with any UMA authorization server * the authorization server supports open dynamic registration of clients, without any pre-registration process or requirements for the client. In this case, you probably can't be sure that the client isn't a malicious AS
Alec Laws CTO Engineering | IDENTOS Inc. [image: mobilePhone] (647)-822-1529 [image: emailAddress] alec@identos.ca [image: twitter] <https://twitter.com/identos_inc> [image: linkedin] <https://www.linkedin.com/company/identos-inc/> <malicious-as-disclosure.md><Pass-the-permission-ticket vulnerability-disclosure.md> _______________________________________________ A Community Group mailing list of KantaraInitiative.org WG-UMA mailing list -- wg-uma@kantarainitiative.org To unsubscribe send an email to staff@kantarainitiative.org List archives -- https://mailman.kantarainitiative.org/hyperkitty/list/wg-uma@kantarainitiati... ______ Group wiki -- https://kantara.atlassian.net/wiki/spaces/WG-UMA
Many thanks! I’ll work to get the word out wider, using this link. [VF Logo Light Green Mix (on Dark BG) for email sig.png] Eve Maler, president and founder Cell and Signal +1 (425) 345-6756<tel:+1-425-345-6756> On Mar 19, 2025, at 8:18 AM, Alec L <alec@identos.ca> wrote: Great suggestion! The information is now available on this page: https://kantara.atlassian.net/wiki/spaces/uma/pages/932413451/Security+Notic... Thanks, - Alec Alec Laws CTO Engineering | IDENTOS Inc. [mobilePhone] (647)-822-1529<tel:(647)-822-1529> [emailAddress] alec@identos.ca<mailto:alec@identos.ca> [https://uploads-ssl.webflow.com/650c9dbaffb52efc03fda0ca/656f37e5c28b666130f...] [twitter]<https://twitter.com/identos_inc> [linkedin]<https://www.linkedin.com/company/identos-inc/> On Tue, Mar 18, 2025 at 12:47 PM Eve Maler <eve@vennfactory.com<mailto:eve@vennfactory.com>> wrote: Thanks, Alec (and Gabriel!). Is it possible to update the UMA wiki with this information? Thank you. <VF Logo Light Green Mix (on Dark BG) for email sig.png> Eve Maler, president and founder Cell and Signal +1 (425) 345-6756<tel:+1-425-345-6756> On Mar 18, 2025, at 7:57 AM, Alec L via WG-UMA <wg-uma@kantarainitiative.org<mailto:wg-uma@kantarainitiative.org>> wrote: Hi, This is a notice of an identified vulnerability in the UMA 2 specification. Please refer to the attached documents for full details, including recommended next steps for mitigation if your implementation is affected. Many thanks to Gabriel Corona for his efforts in finding, documenting and explaining these issues to us! Please reach out if you'd like to discuss further, Best, - Alec Am I impacted? You are probably not impacted if UMA clients only interact with known resource and authorization services. You might be impacted if the following are true: * the UMA client is able to start flows with any UMA resource server * the UMA client is able to start flows with any UMA authorization server * the authorization server supports open dynamic registration of clients, without any pre-registration process or requirements for the client. In this case, you probably can't be sure that the client isn't a malicious AS Alec Laws CTO Engineering | IDENTOS Inc. [mobilePhone] (647)-822-1529<tel:(647)-822-1529> [emailAddress] alec@identos.ca<mailto:alec@identos.ca> [https://uploads-ssl.webflow.com/650c9dbaffb52efc03fda0ca/656f37e5c28b666130f...] [twitter]<https://twitter.com/identos_inc> [linkedin]<https://www.linkedin.com/company/identos-inc/> <malicious-as-disclosure.md><Pass-the-permission-ticket vulnerability-disclosure.md>_______________________________________________ A Community Group mailing list of KantaraInitiative.org WG-UMA mailing list -- wg-uma@kantarainitiative.org<mailto:wg-uma@kantarainitiative.org> To unsubscribe send an email to staff@kantarainitiative.org<mailto:staff@kantarainitiative.org> List archives -- https://mailman.kantarainitiative.org/hyperkitty/list/wg-uma@kantarainitiati... ______ Group wiki -- https://kantara.atlassian.net/wiki/spaces/WG-UMA
Hi Eve, Hi Alec, For reference, I have added the description on my web page as well: https://www.gabriel.urdhr.fr/2025/03/18/uma-pass-the-permission-token/ https://www.gabriel.urdhr.fr/2025/03/18/uma-malicious-as/ This version includes sequence diagrams for illustration. Feel free to include the sequence diagrams in the wiki if you find it useful. Regards, Gabriel Corona
participants (3)
-
Alec L -
Eve Maler -
Gabriel Corona