Clearly the consumer secret for desktop applications is pointless, but the existence of the token secret still offers a modicum of protection. It's definitely the case that SPs can't reasonably identify to users which consumer they are giving their data to.
On Thu, Apr 23, 2009 at 5:52 PM, Zachary Voase <disturb...@googlemail.com>wrote: > > It's not that the malicious software is scanning for access tokens, > but that the attacker gets the consumer secret for the desktop > application; this would allow the attacker to exchange request tokens > for access tokens, etc. (as the attacker has essentially compromised > the consumer, not the individual users). > > On Apr 24, 2:46 am, Brian Eaton <bea...@google.com> wrote: > > On Thu, Apr 23, 2009 at 5:35 PM, Dossy Shiobara <do...@panoptic.com> > wrote: > > > > > On 4/23/09 8:30 PM, Brian Eaton wrote: > > >> Malicious software on the user's computer does not need to steal > > >> access tokens. It steals passwords, bank account numbers, and > > >> confidential documents. > > > > > Sure. But, this attack can happen when the victim is NOT running > > > malicious software! That's why this is a serious threat. > > > > OK, you lost me. Can you summarize the attack again, this time > > leaving out the bit where malicious software is running on the > > computer and scanning memory for access tokens? > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---