On 4/23/09 2:46 PM, Mike Malone wrote: > There's still a timing attack for the manual case because the attacker > could sit on the callback page for the consumer and repeatedly submit > the request token key, possibly beating the victim there after the token > has been authorized. The solution is to have the user enter two numbers > in the manual case. The request token key, and the callback nonce (which > could be a short PIN, as Eran suggested).
How about just making the request token a one-shot token which becomes invalid after an access token upgrade request, whether it succeeds or not? This doesn't eliminate the race but it makes it a LOT harder to brute force, as it does NOT allow an attacker to hammer the callback URL, as the first request to the callback URL, if it comes in before the request token is authorized, will invalidate it. Sure, this results in a poor UX for the legitimate user who's being attacked, but this is sure better than leaving the window of opportunity so large. -- Dossy Shiobara | [email protected] | http://dossy.org/ Panoptic Computer Network | http://panoptic.com/ "He realized the fastest way to change is to laugh at your own folly -- then you can let go and quickly move on." (p. 70) --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
