On Thu, Apr 30, 2009 at 5:05 PM, Blaine Cook <[email protected]> wrote: > > That's the same attack as the one addressed in Rev. A; the > verification token means that the consumer will always know which user > with which to associate the access token (i.e., the user that brings > the verification token to the consumer, not the user that initiated > the flow).
This is the first thought that i had reading this BUT it actually refers to a potential implementation pitfall that the consumers should avoid: > On Thu, Apr 30, 2009 at 3:35 PM, Darren Bounds <[email protected]> wrote: >> 1) Attacker authenticates to Consumer App 1. >> 2) Attacker initiates an OAuth exchange with Twitter, capturing the OAuth >> redirect URL. 2.1) the consumer obtains the request token from the SP and links this token to the Attacker account 2.2) the consumer returns the reidrect to the Attacker that captures the OAuth redirect URL. >> 3) Attacker embeds the URL in his blog and coerces the Victim user into >> clicking it (how is out of scope). >> 4) Victim user is brought to Twitter and prompted to authenticate and >> authorize his association with Consumer App 1. >> 5) Victim is then redirected to Consumer App 1 to complete the OAuth >> handshake. >> 6) Because Consumer App 1 does not take into account the possibility that >> the user who initiated the exchange isn't the same as the one who returned, >> the Consumer App 1 completes the OAuth negotiation and associates the Access >> Token and Access Token Secret with the Attacker. What could happen is that he consumer might simply accept the callback and link the access token to the user that started the flow (i.e. the attacker) without authenticating who is sending back the callback. The critical point here is that the consumer should never do this and instead should always associate the access token to the user arriving via the callback (eventually authenticating him). >> 7) Attacker now has access to Victims protected Twitter resources. Luca --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
