On 4/24/09 3:54 AM, Leah Culver wrote: > The attacker would need to call the access token endpoint with a request > token that is both authorized and has not been sent to the endpoint > before. Since the attacker has no way of knowing if their token is > authorized or not at any point in time*, it's up to luck and is a pretty > inefficient scam. > > * without a malicious callback
Let us observe that email spam is proof-positive that "inefficient" won't prevent "attacks" - as long as payout is non-zero and cost approaches zero, someone will do it if they are seeking the outcome. -- Dossy Shiobara | [email protected] | http://dossy.org/ Panoptic Computer Network | http://panoptic.com/ "He realized the fastest way to change is to laugh at your own folly -- then you can let go and quickly move on." (p. 70) --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
