The attack fails. On Tue, May 5, 2009 at 6:08 PM, Owen Evans <[email protected]> wrote: > Doesn't really solve the problem: > (malicious) User A gets the "Authorisation URL" from an application that > has received a request token. > User A replaces call-back parameter with malicious or spoof site instead of > original call-back > User A tricks User B (Innocent) into logging into SP with > incorrect call-back parameter.
At this point the SP saves the malicious callback URL associated with the approved request token. > User B is sent to malicious site which save the verification code. > User A gets verification code from malicious site and uses it to redirect to > original consumer application Original consumer sends the correct callback URL along with their access token request. SP compares callback from approval step with callback from access token step. They don't match, so the access token request fails. I'm not convinced James' proposal is secure, but the attack Owen described doesn't work. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
