I should think twice before posting (I'm answering to myself...) On Mon, Apr 27, 2009 at 8:42 AM, Luca Mearelli <[email protected]> wrote: > With the signed callback solution the only way an attacker could > succeed is if it tried to bruteforce the verifier (repetitively > calling the consumer callback with a different verifier).
anyhow, since the attacker doesn't know when the request has been authorized by the victim, the odds of this happening are so low that it's not practically possible (the window of time is larger for those cases where the callback is not used and manual intervention from the user is required e.g. if the consumer application can't read data off the callback URL) Luca --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
