You know, using email address as a verified user identifier is appallingly
bad idea. Even if it were verified at the enrollment time, if the mail
address was recycled, the original account holder is screwed. It has been
known for so many years now and finding that sites still do that makes me
sad.
Also, this is not news:
http://securityintelligence.com/spoofedme-social-login-attack-discovered-by-ibm-x-force-researchers/
On Wed, Apr 22, 2015 at 5:02 PM Justin Richer jric...@mit.edu wrote:
This seems to be not a problem with OAuth but with misusing OAuth as an
authentication protocol:
Some web application are using oauth 2 technology as login alternative , i
found a way how can i access client application using unverified
email(victim email) on
oauth oauth provider, if oauth provider allows unverified email to use it's
oauth service which can abuse by the attacker, this is
This seems to be not a problem with OAuth but with misusing OAuth as an
authentication protocol:
http://oauth.net/articles/authentication/
http://oauth.net/articles/authentication/
And with trusting unverified claims from a third party IdP (such as a
self-asserted email address), which is