Thanks for pointing this out. The token and secret should *never* be tied, and should be generated using "secure random generators" (if such things exist).
A question for the security folks here: Is there a way to programmatically test for the relatedness of the token and secret? Could we perform automated security audits of OAuth libraries, looking for (anti-)patterns of implementation? b. 2009/4/30 Solberg Andreas Åkre <[email protected]>: > > On 30. april2009, at 10:10, Dossy Shiobara wrote: > > https://rnd.feide.no/content/vulnerable-token-creation-php-oauth-library > > Ouch! Nice find. w/ rainbow table of MD5, recovering the secret from > the token is a matter of seconds, d'oh! :-) > > Or if you do not have a rainbow table available, you could instead take a > look at your wristwatch, or even better take the oauth_timestamp and > calculate _both_ the key _and_ the secret :) > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
