On Nov 2, 2023, at 16:14, Hannes Tschofenig <[email protected]> wrote: > > https://salt.security/blog/oh-auth-abusing-oauth-to-take-over-millions-of-accounts
Not sure I like this website too much. They call OAuth (2) a “protocol”, when it really is a framework. > In this attack, from my understanding, the problem was that access token > verification was not done properly. I only had time to read up to: > according to the Facebook documentation, when Vidio.com receives the access > token from the user, Vidio should verify that the access token was generated > to its App ID (92356) by calling the https://graph.facebook.com/debug_token > API. You can’t make this one up. “debug_token”. Grüße, Carsten _______________________________________________ COSE mailing list [email protected] https://www.ietf.org/mailman/listinfo/cose
