Manish, I may be leading you astray regarding the importance of the callback. Forgive me as I struggle to wrap my head around all of this.
Don't requests for access tokens need to be signed with the consumer secret? This means that an attacker needs the victim to return to the consumer site to complete the handshake because the attacker doesn't have the secret to make that request himself. Right? On Apr 24, 1:25 am, Manish Pandit <[email protected]> wrote: > On Apr 24, 12:14 am, Josh Fraser <[email protected]> wrote: > > > Manish, > > > The callback matters when you combine it with the use of single use > > tokens. If an attacker can change the callback he can prevent the > > honest application from asking for the token upgrade first and locking > > him out. The callback gives the attacker a way to know the precise > > moment that the authentication has been granted and the token exchange > > can be made. > > > Make sense? > > > Josh > > Thanks for explaining - that helps. So without callback tempering, it > is more or less a race condition between the victim and the attacker. > > -cheers, > Manish --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
