The reason callback nonces don't provide any protection is that the attacker can scrape that code off the consumers site. The attacker can wait for someone to click on a link before getting the authorization url (and any nonce) from the consumer app. This is also the reason that reducing the amount of time a request token is valid is ineffective.
Consider this scenario: A hacker sends around a tinyurl (for obscurity) that points to his own website Whenever someone clicks on that link, the attacker scrapes the consumer app site to get an authorization url and the security challenge or nonce. The attacker then forwards the victim to the authorization page. After authentication, the victim is redirected to a custom callback where the attacker adds the security challenge and sends them back to the real endpoint where the security challenge checks out. You could use captchas, but those are dreadfully annoying and can still be broken. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
