> > the attack assumes that *also* the attacker is using the consumer so > it actually abusing the protocol to be able to access the victim data > through his own account (i.e. the account belonging to the attacker) > at the consumer site, so the attacker does not need to get at the > access tokens or at the secrets. > > Luca
Yes, in the context of this attack the attacker is using the consumer once the access token is associated with the victim's identity. The recourse then is to kill the access tokens more frequently. A little off-topic, but I always wondered the lack of "revoke_access_token" endpoint. If the victim were to find out that his account has been compromised, what options does he have? Some providers (I know I would) may provide the revoke_access_token endpoint but shouldnt the spec kind of make it standard like the other 3? -cheers, Manish --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---