There has been much discussion over the session fixation vulnerability since it was announced publicly. There is another issue that is not unique to OAuth but one that I believe poses an equal if not more serious threat to service providers. That issue is clickjacking.
For those unfamiliar with clickjacking, it is when a visitor to a web page is tricked into clicking on an element that they believe to be harmless when in reality they are clicking on an element on a different website that exposes protected data or grants an attacker access. A malicious consumer developer can use a clickjacking attack against a vulnerable service provider's approval page to trick users into granting their application access. Current service providers have been notified. Google, Yahoo and Twitter have already deployed protection. I have written a blog post that goes into greater detail on the threat which can be read here: http://stephensclafani.com/2009/05/04/clickjacking-oauth/ Stephen Sclafani --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
