locked
WebAuthenticationBroker.AuthenticateAsync Verification? RRS feed

  • Question

  • Hello Community,

    I just setup (rather quickly, I might add) a Windows Store application that was able to authenticate with Facebook using the SDK found here:

    http://csharpsdk.org/

    As part of the authentication process, the application makes use of a call to WebAuthenticationBroker.AuthenticateAsync.

    I'm curious about this mechanism in Windows Store application development, and what sort of verification/security measures there are around it.  That is, all that is presented to the user is that it is "Connecting to a Service."  But, there's no way for my user to see what page/URL is being access and/or to view a security certificate to verify its location.

    Conceivably, I could simply phish my user's credentials by forwarding them to a URL that looks exactly like a Facebook authentication page, take their credentials, and then pass them along to the "real" page.

    Any guidance/insight into this matter would be greatly appreciated.

    Thank you,

    Michael

    Saturday, December 8, 2012 1:48 AM

Answers

  • OK - I asked. There's no built-in security mechanism for this.  Should there be?  I'm not sure. I think that whenever you install an application from anywhere, there's an implied risk when you give information to that application.  If you're *that* concerned about your Facebook credentials, don't share them with any third-party apps.  

    If you have serious concerns with this argument, please put together a security threat matrix and I will submit a bug for v.Next.

    Matt Small - Microsoft Escalation Engineer - Forum Moderator
    If my reply answers your question, please mark this post as answered.

    NOTE: If I ask for code, please provide something that I can drop directly into a project and run (including XAML), or an actual application project. I'm trying to help a lot of people, so I don't have time to figure out weird snippets with undefined objects and unknown namespaces.

    Monday, March 11, 2013 2:23 PM
    Moderator

All replies

  • Hi Michael,

    Can you offer me the code segment you use? You can assign the Uri value as parameter to the WebAuthenticationBroker.AuthenticateAsync method:
    var r= await WebAuthenticationBroker.AuthenticateAsync(WebAuthenticationOptions.UseTitle, new Uri("URLStr");

    Wednesday, December 12, 2012 10:40 AM
  • Hello Tester,

    Thank you for your reply.  Here is the code from the sample available at the link above:

    WebAuthenticationResult WebAuthenticationResult = await WebAuthenticationBroker.AuthenticateAsync(
                                                            WebAuthenticationOptions.None,
                                                            loginUrl,
                                                            endUri);

    As you can see, the loginUrl can be any URI that I provide, conceivably to a phishing website that looks like Facebook's login.  Is there a security measure being taken against this sort of activity?

    Thank you,

    Michael

    Wednesday, December 12, 2012 1:33 PM
  • Bump.

    Does anyone have any guidance/insight on this rather obvious security concern?

    Friday, December 14, 2012 11:26 AM
  • Bump...
    Thursday, January 3, 2013 2:41 AM
  • Bump...
    Friday, January 11, 2013 3:55 AM
  • Bump...
    Tuesday, February 5, 2013 6:41 PM
  • Interesting question, I'll look into this.

    Matt Small - Microsoft Escalation Engineer - Forum Moderator
    If my reply answers your question, please mark this post as answered.

    NOTE: If I ask for code, please provide something that I can drop directly into a project and run (including XAML), or an actual application project. I'm trying to help a lot of people, so I don't have time to figure out weird snippets with undefined objects and unknown namespaces.

    Wednesday, February 6, 2013 6:39 PM
    Moderator
  • Great Matt... thank you.
    Wednesday, February 6, 2013 6:52 PM
  • I am bumping this thread every time I share it with someone on why I am doing HTML5 development rather than Xaml/Windows 8 development now.

    So, bump...

    Thursday, March 7, 2013 12:15 AM
  • OK - I asked. There's no built-in security mechanism for this.  Should there be?  I'm not sure. I think that whenever you install an application from anywhere, there's an implied risk when you give information to that application.  If you're *that* concerned about your Facebook credentials, don't share them with any third-party apps.  

    If you have serious concerns with this argument, please put together a security threat matrix and I will submit a bug for v.Next.

    Matt Small - Microsoft Escalation Engineer - Forum Moderator
    If my reply answers your question, please mark this post as answered.

    NOTE: If I ask for code, please provide something that I can drop directly into a project and run (including XAML), or an actual application project. I'm trying to help a lot of people, so I don't have time to figure out weird snippets with undefined objects and unknown namespaces.

    Monday, March 11, 2013 2:23 PM
    Moderator
  • Thank you Matt for looking into this.

    I understand that there is an "implied" risk for installing a 3rd-party application.  The problem here is that there is no way of easily showing the user (or for them to verify) the actual location of where authentication is taking place.  That is, with a browser, a user can simply look in the current address bar to verify the URI/location that they are currently visiting, along with any certificates that are associated with that URI.  They can then make the decision whether to continue or not.

    This simply does not exist with a Windows 8 application.  The user cannot see the URI that is being loaded, nor can they access/view/verify any associated security certificates.

    So yes, there is a serious concern here.  I'm not sure what you mean by a threat matrix.  The threat is simply that any Windows 8 application developer can *easily* phish a user's credentials and pass them along to the actual authentication destination.  That is a major security risk/issue and it's rather surprising that this was not caught sooner... and it's really just a matter of time before it's exploited.


    • Edited by Mike-EEE Monday, March 18, 2013 4:46 PM
    Monday, March 18, 2013 4:46 PM