I thought this had been obvious to everyone from day 1 - there's no point in using a consumer secret at all in a desktop app. We certainly discussed this scenario before the first version of the protocol shipped.
On Thu, Apr 23, 2009 at 5:57 PM, Dossy Shiobara <[email protected]> wrote: > > On 4/23/09 8:46 PM, Brian Eaton wrote: > > OK, you lost me. Can you summarize the attack again, this time > > leaving out the bit where malicious software is running on the > > computer and scanning memory for access tokens? > > Alice (attacker) and Bob (victim). > > Both Alice and Bob run Consumer (application). This is legitimate, > trust-worthy software. It uses OAuth to access Provider (service). > > Alice runs Consumer with memory inspection software to recover the > consumer key and secret. Alice then elicits Consumer to request a > Request Token and Request Secret from Provider, and uses the memory > inspection software to recover these. > > Alice then somehow convinces Bob to click on a link to Provider that > authorizes the Request Token that Alice is holding. Bob unwittingly > authorizes the token. > > Alice is now holding all the tokens and secrets necessary to upgrade the > Request Token to an Access Token that is authorized with Bob's account. > > Game over. > > Please, I can't make this ANY clearer than this. If you don't > understand this explanation, please ask clarifying questions that > hopefully someone else can take a stab at answering because I'm all out > of ideas here. I have pretty much supplied above all the necessary > details to implement a working exploit against current OAuth 1.0 > implementations, leaving nothing out in hopes that everyone can > understand the threat. I'm so sorry ... > > -- > Dossy Shiobara | [email protected] | http://dossy.org/ > Panoptic Computer Network | http://panoptic.com/ > "He realized the fastest way to change is to laugh at your own > folly -- then you can let go and quickly move on." (p. 70) > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
