My thoughts as a decidedly non-expert OAuth user (I have a consumer on App Engine that'll access a GMail acct):
The consumer key & secret provide the out-of-band "understanding" between the consumer and service provider. The attacker exploits that trust since the actual "user" does not enter into the mix when an OAuth handshake begins (consumer asks for unauthorized request token). Seems there is no fix that does not connect the human user to that initial request and verifies that human upon authorization. In ER terms, there is a many-to-many between consumer and service. That many-to-many is resolved in a "bridge" that includes user. Any interaction that "queries" the relationship based on the Consumer<->Service out-of-band agreement absent user identification will be vulnerable. Does that sound right? My bank uses a PIN number as an extra layer, and maybe it could provide the lynchpin here?. An initial request asks user to enter a PIN. That PIN is "mixed in" to the request token secret (just like the consumer secret is mixed in). When the user gets directed to the service to authorize, they are required to enter their PIN. (Obviously, the SP will check that the entered PIN is correct -- no "state" necessary since it's encrypted into the secret). If they do not have it or get it wrong, auth request is rejected. User can easily go back to Consumer and start again. Sorry if that's way off base -- just my initial take... --peter keane On Apr 23, 2:41 am, Eran Hammer-Lahav <[email protected]> wrote: > The OAuth Security Advisory 2009.1 was posted on the OAuth site: > > http://oauth.net/advisories/2009-1 > > For more information on the attack: > > http://www.hueniverse.com/hueniverse/2009/04/explaining-the-oauth-ses... > > No information has been withheld. The issue is now fully public. > > EHL --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
