Replay Attack on TypeKey?

   23 November 2004, evening time

TypeKey is the comment authentication system from Movable Type. (I have written about TypeKey before.) When you go to a site that uses TypeKey, you can login to TypeKey, and it sends information back to the site you are visiting that can be used to verify you are who you say you are. This is the primary purpose of TypeKey.

As I understand things, a very simple overview of the system is what follows:

  1. I go to a site that uses TypeKey and click on a login link.
  2. This should send me to the TypeKey login page. This connection is secure. No one should be able to see me enter my username and password.
  3. A URL is supplied with the link that took me to the login page, and this is the URL I am redirected back to. This URL contains the authentication token, and more often then not, this request will be made in the clear—i.e. not using an SSL connection.
  4. The web site will verify the token that was sent back is valid.
  5. If the token is valid, I have authenticated myself to the site. I can now post a comment.

The URL that we are redirected back to can be used by someone else to login to the same site you just logged into. TypeKey actually includes a time stamp as one of the values that it signs when authenticating a user. This limits the amount of time a token should be treated as valid. However, because of network latency, most sites will need to allow a token to be used for at least a few seconds. I imagine with concerted effort one could abuse the fact a token is valid for a short period of time.

On my system I can login to a TypeKey powered site in Safari, copy the URL TypeKey redirects me to from Safari to Firefox, and thereby login to the same site in Firefox without entering any of my information. This is essentially a replay attack, albeit a stupid one. A more interesting attack would be to monitor the traffic coming out of somebody’s computer, waiting for a TypeKey login URL, grabbing the URL, and using it to connect to the site the authorization request was made for. Doing so we could trick the site into thinking we are someone we are not.

The above would imply that TypeKey doesn’t meet its primary goal. I was hoping someone who reads this site could confirm this is a flaw one could exploit or not. If the token sent back for authentication was not sent in the clear, this wouldn’t be an issue. Opinions anyone?

|  

Comments

  1. After I finished writing this up, I found this article on the same subject.

  2. My knowledge regarding this is very limited but with an basic understanding of security, I can vouch that it is not that critical. Packet sniffing the token (or the url) may not be physically impossible, but it is clearly not very likely. Except in the event that you are away from the computer (right after you have logged into TypeKey) and somebody hops on and impersonates you. But it is a danger. It just depends on you perspective.

    I remember when TypeKey was announced, may folks voiced that PGP would be better suited for such authentication. I am sure we will be moving on that path. Anil mentioned once that “authentication is here to stay”. Might as well do it right.

    BTW, your description of this problem is very clear and without jargon. Makes it very easy to understand for laymen like me.

  3. I don’t know if it is as clear as I would like, but I did try. And I’m pretty sure you can run packet sniffers in promiscuous mode, and could search for TypeKey URLs in this way. That said, I also don’t think this is a serious exploit. It was really just an interesting diversion for the evening.

  4. I’ve seen a slew of websites like that. There are negatives to the situation. For example, networked computers whose other operators have access to the ‘documents and settings’ area of said Windoze comp. Very few people actually realize how much about their usage can be gleaned from that bastion of personal information.

  5. I like your site!

    casino en ligne
    kasino
    kasino online
    ecommerce website design

  6. Thanks Spam-Man, I like it too.

Don't be shy, you can comment too!

 
Some things to keep in mind: You can style comments using Textile. In particular, *text* will get turned into text and _text_ will get turned into text. You can post a link using the command "linktext":link, so something like "google":http://www.google.com will get turned in to google. I may erase off-topic comments, or edit poorly formatted comments; I do this very rarely.