Unless I missed something, Yahoo (and I think Google) only prompts for the password when a session is already active, displaying the username instead of giving the user a form field to fill.
A phisher would have the hardest time doing that (if at all). But I do see your point. Stephane On May 06, 2009, at 1:37, Stephen Sclafani wrote: > > I thought about this solution some more and one issue that came to > mind, which is actually noted in the OAuth spec, is that by > conditioning users to enter their credentials each time they are > redirected from a Consumer site you run the risk of increasing the > potential of phishing attacks. Something to consider. > > Stephen Sclafani > > On May 6, 12:45 am, Allen Tom <[email protected]> wrote: >> Yahoo always requires the user to enter their password (even if the >> user >> is already signed into Yahoo) before issuing persistent >> credentials. The >> intent is to verify that the user is actually sitting in front of the >> computer before issuing a persistent credential, to protect against >> the >> case where the attacker is trying to backdoor a victim's account, >> when >> the victim left their computer unattended, or forgot to logout. >> >> A nice side effect of requiring password verifcation is that a >> potential >> clickjacker would need to phish the user before clickjacking the >> OAuth >> permissions screen... >> >> Allen >> >> Josh Roesslein wrote: >>> A simple way to block this attack would be to force the user to >>> login >>> each time before displaying the approval page (even if there is a SP >>> session cookie). This way the attacker >>> can not load the approval page in a frame. They would need the >>> password to do so. This does impact the user experience a bit, but >>> does solve the issue 100% unless I over looked something. > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
