Re: [OAUTH-WG] OAuth2 attack surface....

Thu, 28 Feb 2013 17:45:55 -0800 

I don't like that "implicit flow" or former user-agent much and wrote about it 
2 years ago, but that attack is rather related to implementation bugs, not to 
protocol itself. A root cause - a bug in redirect URL verification (probably  a 
regexp flaw).

Enforcing token's life time at a protocol level doesn't make too much sense 
either, because it should depend on sensitivity of protected data. 

The same is true about the scope.

I think, the latter two issues have been already reflected in the Torsten's TM.

--- On Thu, 2/28/13, prateek mishra <prateek.mis...@oracle.com> wrote:

From: prateek mishra <prateek.mis...@oracle.com>
Subject: Re: [OAUTH-WG] OAuth2 attack surface....
To: "oauth@ietf.org" <oauth@ietf.org>
Date: Thursday, February 28, 2013, 5:56 PM


  

    
  
  
    Characteristics of both these attacks -

    

    1) Use of implicit flow (access token passed on the URL)

    2) changes to redirect uri (specification does allow some
    flexibility here)

    3) applications with long-lived access tokens with broad scope (in
    one case only)

    

    - prateek

    And a different one (still exploiting redirection and
      still implementation mistake) 
http://www.nirgoldshlager.com/2013/02/how-i-hacked-facebook-oauth-to-get-full.html
      

      
      Regards
      

      
      Antonio
      

      
      
        
          On Feb 25, 2013, at 11:42 PM, William Mills wrote:
          

          
            
              
                

                
                
                  
                     
                    

                    
                      
                        
                          DOH!!!  
http://homakov.blogspot.co.uk/2013/02/hacking-facebook-with-oauth2-and-chrome.html
                          

                          
                          
                            
                               
                                   From:
                                  Phil Hunt <phil.h...@oracle.com>

                                  To:
                                  William Mills <wmills_92...@yahoo.com>
                                  

                                  Sent:
                                  Monday, February 25, 2013 2:28 PM

                                  Subject:
                                  Re: [OAUTH-WG] OAuth2 attack
                                  surface....

                                 
                              

                              
                                
                                  Whats the link?

                                    

                                    Phil
                                    

                                    
                                    Sent from my phone.
                                  
                                  

                                    On 2013-02-25, at 14:22, William
                                    Mills <wmills_92...@yahoo.com>
                                    wrote:

                                    

                                  
                                  
                                    
                                      
                                        I think this is worth a
                                          read, I don't have time to
                                          dive into this :(
                                      
                                    
                                  
                                  
                                    
_______________________________________________

                                      OAuth mailing list

                                      OAuth@ietf.org

                                      
https://www.ietf.org/mailman/listinfo/oauth

                                    
                                  
                                
                              
                              

                              

                            
                          
                        
                      
                    
                    

                    

                  
                
              
            
            _______________________________________________

            OAuth mailing list

            OAuth@ietf.org

            https://www.ietf.org/mailman/listinfo/oauth

          
        
        

      
      

      
      

      _______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

    
    

  


-----Inline Attachment Follows-----

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to