While implicit is what they are attacking, this is in principal also possible to do with a code flow if the client is public. It is only confidential clients using the code flow that have reasonable protection from open redirectors.
In openID Connect we made registered redirect_uri and full comparison of the URI including query parameters a requirement. Allowing path or query parameters outside of the redirect comparison leaves too large of an uncontrolled attack surface. Implementation mistakes are almost inevitable. John B. On 2013-02-28, at 2:56 PM, prateek mishra <prateek.mis...@oracle.com> wrote: > Characteristics of both these attacks - > > 1) Use of implicit flow (access token passed on the URL) > 2) changes to redirect uri (specification does allow some flexibility here) > 3) applications with long-lived access tokens with broad scope (in one case > only) > > - prateek >> And a different one (still exploiting redirection and still implementation >> mistake) >> http://www.nirgoldshlager.com/2013/02/how-i-hacked-facebook-oauth-to-get-full.html >> >> Regards >> >> Antonio >> >> On Feb 25, 2013, at 11:42 PM, William Mills wrote: >> >>> >>> >>> DOH!!! >>> http://homakov.blogspot.co.uk/2013/02/hacking-facebook-with-oauth2-and-chrome.html >>> >>> From: Phil Hunt <phil.h...@oracle.com> >>> To: William Mills <wmills_92...@yahoo.com> >>> Sent: Monday, February 25, 2013 2:28 PM >>> Subject: Re: [OAUTH-WG] OAuth2 attack surface.... >>> >>> Whats the link? >>> >>> Phil >>> >>> Sent from my phone. >>> >>> On 2013-02-25, at 14:22, William Mills <wmills_92...@yahoo.com> wrote: >>> >>>> I think this is worth a read, I don't have time to dive into this :( >>>> _______________________________________________ >>>> OAuth mailing list >>>> OAuth@ietf.org >>>> https://www.ietf.org/mailman/listinfo/oauth >>> >>> >>> >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >> >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth