Yahoo only prompts for the password (the username is prefilled) if the user already is signed into Yahoo when doing the OAuth dance.
Allen Stephane Daury wrote: > Unless I missed something, Yahoo (and I think Google) only prompts for > the password when a session is already active, displaying the username > instead of giving the user a form field to fill. > > A phisher would have the hardest time doing that (if at all). > > But I do see your point. > > Stephane > > > > On May 06, 2009, at 1:37, Stephen Sclafani wrote: > > >> I thought about this solution some more and one issue that came to >> mind, which is actually noted in the OAuth spec, is that by >> conditioning users to enter their credentials each time they are >> redirected from a Consumer site you run the risk of increasing the >> potential of phishing attacks. Something to consider. >> >> Stephen Sclafani >> >> On May 6, 12:45 am, Allen Tom <a...@yahoo-inc.com> wrote: >> >>> Yahoo always requires the user to enter their password (even if the >>> user >>> is already signed into Yahoo) before issuing persistent >>> credentials. The >>> intent is to verify that the user is actually sitting in front of the >>> computer before issuing a persistent credential, to protect against >>> the >>> case where the attacker is trying to backdoor a victim's account, >>> when >>> the victim left their computer unattended, or forgot to logout. >>> >>> A nice side effect of requiring password verifcation is that a >>> potential >>> clickjacker would need to phish the user before clickjacking the >>> OAuth >>> permissions screen... >>> >>> Allen >>> >>> Josh Roesslein wrote: >>> >>>> A simple way to block this attack would be to force the user to >>>> login >>>> each time before displaying the approval page (even if there is a SP >>>> session cookie). This way the attacker >>>> can not load the approval page in a frame. They would need the >>>> password to do so. This does impact the user experience a bit, but >>>> does solve the issue 100% unless I over looked something. >>>> > > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
