I thought about this solution some more and one issue that came to mind, which is actually noted in the OAuth spec, is that by conditioning users to enter their credentials each time they are redirected from a Consumer site you run the risk of increasing the potential of phishing attacks. Something to consider.
Stephen Sclafani On May 6, 12:45 am, Allen Tom <[email protected]> wrote: > Yahoo always requires the user to enter their password (even if the user > is already signed into Yahoo) before issuing persistent credentials. The > intent is to verify that the user is actually sitting in front of the > computer before issuing a persistent credential, to protect against the > case where the attacker is trying to backdoor a victim's account, when > the victim left their computer unattended, or forgot to logout. > > A nice side effect of requiring password verifcation is that a potential > clickjacker would need to phish the user before clickjacking the OAuth > permissions screen... > > Allen > > Josh Roesslein wrote: > > A simple way to block this attack would be to force the user to login > > each time before displaying the approval page (even if there is a SP > > session cookie). This way the attacker > > can not load the approval page in a frame. They would need the > > password to do so. This does impact the user experience a bit, but > > does solve the issue 100% unless I over looked something. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
