No, we haven't, and in fact we can't with the protocol as it stands today. Please go read Eran's blog post explaining the attack:
http://www.hueniverse.com/hueniverse/2009/04/explaining-the-oauth-session-fixation-attack.html#more On Fri, Apr 24, 2009 at 9:30 AM, Zachary Voase <[email protected]> wrote: > > But we've pretty much solved *that* issue with signed/pre-specified > callbacks and the once-only rule for exchanging request tokens. > > On Apr 24, 6:25 pm, Dossy Shiobara <[email protected]> wrote: >> On 4/24/09 12:18 PM, Zachary Voase wrote: >> >> > But I think people are missing the idea that the consumer can just use >> > sessions and cookies to ensure that the browser which asked for the >> > request token is the same as the one which is authenticating it. >> > There's no need whatsoever for callback tokens, etc. >> >> I think you're missing the fact that the attacker is the one using the >> consumer. The victim is just sent to SP to authorize the attacker's >> token with _the victim's_ identity, which then makes the attacker's >> session at the consumer access the victim's resources at the SP. >> >> -- >> Dossy Shiobara | [email protected] |http://dossy.org/ >> Panoptic Computer Network |http://panoptic.com/ >> "He realized the fastest way to change is to laugh at your own >> folly -- then you can let go and quickly move on." (p. 70) > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
