On Fri, Apr 24, 2009 at 10:04 AM, Josh Fraser <joshf...@gmail.com> wrote: > Don't requests for access tokens need to be signed with the consumer > secret?
correct (at least for web consumers) > This means that an attacker needs the victim to return to the > consumer site to complete the handshake because the attacker doesn't > have the secret to make that request himself. Right? Not quite, the attack assumes that *also* the attacker is using the consumer so it actually abusing the protocol to be able to access the victim data through his own account (i.e. the account belonging to the attacker) at the consumer site, so the attacker does not need to get at the access tokens or at the secrets. Luca --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
