On Apr 24, 12:14 am, Josh Fraser <[email protected]> wrote:
> Manish,
>
> The callback matters when you combine it with the use of single use
> tokens. If an attacker can change the callback he can prevent the
> honest application from asking for the token upgrade first and locking
> him out. The callback gives the attacker a way to know the precise
> moment that the authentication has been granted and the token exchange
> can be made.
>
> Make sense?
>
> Josh
>
Thanks for explaining - that helps. So without callback tempering, it
is more or less a race condition between the victim and the attacker.
-cheers,
Manish
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"OAuth" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [email protected]
For more options, visit this group at http://groups.google.com/group/oauth?hl=en
-~----------~----~----~----~------~----~------~--~---
