On 4/23/09 8:46 PM, Brian Eaton wrote: > OK, you lost me. Can you summarize the attack again, this time > leaving out the bit where malicious software is running on the > computer and scanning memory for access tokens?
Alice (attacker) and Bob (victim). Both Alice and Bob run Consumer (application). This is legitimate, trust-worthy software. It uses OAuth to access Provider (service). Alice runs Consumer with memory inspection software to recover the consumer key and secret. Alice then elicits Consumer to request a Request Token and Request Secret from Provider, and uses the memory inspection software to recover these. Alice then somehow convinces Bob to click on a link to Provider that authorizes the Request Token that Alice is holding. Bob unwittingly authorizes the token. Alice is now holding all the tokens and secrets necessary to upgrade the Request Token to an Access Token that is authorized with Bob's account. Game over. Please, I can't make this ANY clearer than this. If you don't understand this explanation, please ask clarifying questions that hopefully someone else can take a stab at answering because I'm all out of ideas here. I have pretty much supplied above all the necessary details to implement a working exploit against current OAuth 1.0 implementations, leaving nothing out in hopes that everyone can understand the threat. I'm so sorry ... -- Dossy Shiobara | [email protected] | http://dossy.org/ Panoptic Computer Network | http://panoptic.com/ "He realized the fastest way to change is to laugh at your own folly -- then you can let go and quickly move on." (p. 70) --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
