I think accessing the consumer secret via memory inspection is a very general problem that goes far beyond just OAuth; it's usually up to the desktop application developers to make sure they keep the key secure in memory. An application such as iTunes (which keeps DRM decryption keys in memory) is also subject to similar issues, but I don't think anyone's yet made a viable attack against that. With any protocol, be it FTP, HTTP or even TCP, there's a certain amount of trust placed in the developers of both the client applications and server applications. This applies to OAuth as much as it does to anything else.
On Apr 24, 12:54 am, Dossy Shiobara <[email protected]> wrote: > On 4/23/09 6:00 PM, Zachary Voase wrote: > > > * If the consumer is a desktop app, then a few things might > > happen. MU could start brute forcing the access token, which would > > lead to one of a couple things: > > If the consumer is a desktop app., then the attacker has access to the > token secret through application memory inspection. Consider: > > 1) Alice (the attacker) and Bob (the victim) both use desktop > application Consumer. Alice uses Consumer to request a request token > and secret from Provider. > > 2) Alice tricks Bob into authorizing the request token as Bob. > > 3) Alice takes the authorized request token and secret and upgrades it > to an access token. > > 4) Alice now holds an authorized access token and secret that has access > to Bob's account. > > This is a very real threat vector. Lets fix it. > > -- > Dossy Shiobara | [email protected] |http://dossy.org/ > Panoptic Computer Network |http://panoptic.com/ > "He realized the fastest way to change is to laugh at your own > folly -- then you can let go and quickly move on." (p. 70) --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
