On Fri, Apr 24, 2009 at 9:03 AM, Manish Pandit <[email protected]> wrote: > I agree that it will handle the callback tempering by the attackers. > But wont this still leave out non-webapp consumers? But then again the > OAuth model for non-webapp consumers has bigger fish to fry with the > shared secret sitting on every device in cleartext.
Although reducing a bit the risk it would not resolve the vulnerability even for web consumers as the attacker might simply repeatedly try to exchange the request for an access token. Single-use access token request URLs (like in Leah's proposal) would reduce even more the feasibility of the attack. Luca --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
