(bmitch.net)

407 points todsacerdoti | 1 comments | 24 Aug 25 23:27 UTC | HN request time: 0.214s | source

Show context

engcoach ◴[24 Aug 25 23:57 UTC] No.45008913[source]▶

Is the danger here token replay? It's using Bearer tokens, so it's not sending a password over:

<https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Aut...>

Threats section for Bearer tokens: <https://datatracker.ietf.org/doc/html/rfc6750#section-5.2>

Does OAuth reuse tokens across domains? If not, doesn't this just mean it is requesting an auth token for ghrc (the "fake" domain) but it can't access any auth tokens for ghcr (the real domain)?

replies(2): >>45009018 #>>45009041 #

1. bmitch3020 ◴[25 Aug 25 00:21 UTC] No.45009041[source]▶

>>45008913 #

Blog author (and OCI maintainer) here. The request to get a bearer token sends the password or PAT using the basic auth header, base64 encoded, but otherwise clear-text. That's the request the www-authenticate header is triggering. Once the token is received, the registry uses that to verify access, and that eventually expires. But the attacker isn't getting the token, they are requesting the credentials that would be used to acquire a bearer auth token.

↑

Ghrc.io appears to be malicious