PKCE solves a subset of this, but not the general case. It doesn't solve the
FB example in the paper where the FB token is passed between apps locally.
It is a clear win for the OAuth code flow for example though.
On Thursday, June 18, 2015 7:31 AM, Nat Sakimura <sakim...@gmail.com>
wrote:
Hi OAuthers:
XARA (Cross App Resource Access) paper was gaining interest here in Japan today
because of the Register article[1]. I went over the attack description in the
full paper [2].
The paper presents four kinds of vulnerabilities.
- Password Stealing (Keychain)
- Container Cracking (BundleID check bug on the part of Apple App Store)
- IPC Interception (a. WebSocket non-authentication, and b. local oauth
redirect)
- Scheme Hijacking
Of those, 3.b and 4 are relevant to us, and we kind of knew them all the way
through.
These are the target attack that PKCE specifically wants to address, and does
address, I believe.
[1]
http://www.theregister.co.uk/2015/06/17/apple_hosed_boffins_drop_0day_mac_ios_research_blitzkrieg/[2]
https://sites.google.com/site/xaraflaws/
--
Nat Sakimura (=nat)Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
