On 4/23/09 6:00 PM, Zachary Voase wrote: > * If the consumer is a desktop app, then a few things might > happen. MU could start brute forcing the access token, which would > lead to one of a couple things:
If the consumer is a desktop app., then the attacker has access to the token secret through application memory inspection. Consider: 1) Alice (the attacker) and Bob (the victim) both use desktop application Consumer. Alice uses Consumer to request a request token and secret from Provider. 2) Alice tricks Bob into authorizing the request token as Bob. 3) Alice takes the authorized request token and secret and upgrades it to an access token. 4) Alice now holds an authorized access token and secret that has access to Bob's account. This is a very real threat vector. Lets fix it. -- Dossy Shiobara | [email protected] | http://dossy.org/ Panoptic Computer Network | http://panoptic.com/ "He realized the fastest way to change is to laugh at your own folly -- then you can let go and quickly move on." (p. 70) --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
