I don't like that "implicit flow" or former user-agent much and wrote about it 2 years ago, but that attack is rather related to implementation bugs, not to protocol itself. A root cause - a bug in redirect URL verification (probably a regexp flaw).
Enforcing token's life time at a protocol level doesn't make too much sense either, because it should depend on sensitivity of protected data. The same is true about the scope. I think, the latter two issues have been already reflected in the Torsten's TM. --- On Thu, 2/28/13, prateek mishra <prateek.mis...@oracle.com> wrote: From: prateek mishra <prateek.mis...@oracle.com> Subject: Re: [OAUTH-WG] OAuth2 attack surface.... To: "oauth@ietf.org" <oauth@ietf.org> Date: Thursday, February 28, 2013, 5:56 PM Characteristics of both these attacks - 1) Use of implicit flow (access token passed on the URL) 2) changes to redirect uri (specification does allow some flexibility here) 3) applications with long-lived access tokens with broad scope (in one case only) - prateek And a different one (still exploiting redirection and still implementation mistake) http://www.nirgoldshlager.com/2013/02/how-i-hacked-facebook-oauth-to-get-full.html Regards Antonio On Feb 25, 2013, at 11:42 PM, William Mills wrote: DOH!!! http://homakov.blogspot.co.uk/2013/02/hacking-facebook-with-oauth2-and-chrome.html From: Phil Hunt <phil.h...@oracle.com> To: William Mills <wmills_92...@yahoo.com> Sent: Monday, February 25, 2013 2:28 PM Subject: Re: [OAUTH-WG] OAuth2 attack surface.... Whats the link? Phil Sent from my phone. On 2013-02-25, at 14:22, William Mills <wmills_92...@yahoo.com> wrote: I think this is worth a read, I don't have time to dive into this :( _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth -----Inline Attachment Follows----- _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth