On Thu, Apr 23, 2009 at 11:46 AM, Mike Malone <[email protected]> wrote: > The other difference is that it seems you're not issuing a callback token > for the manual case, where there's no callback URL. I think you need a > callback token either way. There's still a timing attack for the manual case > because the attacker could sit on the callback page for the consumer and > repeatedly submit the request token key, possibly beating the victim there > after the token has been authorized. The solution is to have the user enter > two numbers in the manual case. The request token key, and the callback > nonce (which could be a short PIN, as Eran suggested).
This is a terrible user experience. Some service providers and consumers will accept it, but we need good security for installed applications even when we can't ask the user to type a PIN manually. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
