It's not that the malicious software is scanning for access tokens, but that the attacker gets the consumer secret for the desktop application; this would allow the attacker to exchange request tokens for access tokens, etc. (as the attacker has essentially compromised the consumer, not the individual users).
On Apr 24, 2:46 am, Brian Eaton <[email protected]> wrote: > On Thu, Apr 23, 2009 at 5:35 PM, Dossy Shiobara <[email protected]> wrote: > > > On 4/23/09 8:30 PM, Brian Eaton wrote: > >> Malicious software on the user's computer does not need to steal > >> access tokens. It steals passwords, bank account numbers, and > >> confidential documents. > > > Sure. But, this attack can happen when the victim is NOT running > > malicious software! That's why this is a serious threat. > > OK, you lost me. Can you summarize the attack again, this time > leaving out the bit where malicious software is running on the > computer and scanning memory for access tokens? --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
