Eran, As I and many others have already mentioned, CSRF/XSRF attacks are especially well suited for attacking OAuth and should most certainly be mentioned Security Consideration portion.
I would like to propose the following language: Cross-Site Request Forgery (CSRF) Attacks Cross-Site Request Forgery (CSRF) is a web-based attack whereby HTTP requests are transmitted from a user that the website trusts or has authenticated. Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has for a particular user. CSRF attacks on OAuth can be viewed as particularly valuable as they often offer an attacker persistent access to protected OAuth resources via the theft of Access Token material. It is because of this that Service Providers implementing OAuth should strongly consider best practices in CSRF prevention at all OAuth endpoints. References: http://en.wikipedia.org/wiki/Cross-site_request_forgery http://www.owasp.org/index.php/Cross-Site_Request_Forgery http://blog.cliqset.com/2008/11/02/csrf-and-oauth/ Darren On Wed, May 6, 2009 at 4:43 PM, Eran Hammer-Lahav <[email protected]> wrote: > > We have identified a few new attack vectors since the spec was originally > written and would like to address them in the Security Consideration section. > Please reply with proposals for such texts. Ideally we can reach some > consensus on these by Fri, but if not, we can add it a bit later since it > doesn't affect the protocol directly. > > EHL > > > -- darren bounds [email protected] --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
