On Fri, May 8, 2009 at 5:31 PM, Manish Pandit <[email protected]> wrote: > However, when it comes to web based > consumers with callbacks, even with the oauth_verifier, the process > ends up linking the good guy with the bad guy's request token at the > provider.
Sweet. Last time somebody said this it was late on a Friday, too, and look how well that turned out. =) I'm pretty sure OAuth 1.0a isn't vulnerable to what you're describing, but I can't explain why without a more detailed explanation of how your attack works. Can you break it down into a step-by-step "evil user does X, good guy does Y" flow? --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
