A user should be responsible for his access token secret. If he reveals it to an attacker, he should expect the attacker can impersonate him, just as if he gave his authorized mobile device to the attacker. An application can help prevent such a mistake, by making it difficult for the user to find his token secret.
A user must trust the software that can use his secret. OAuth doesn't help with this; you need some other system for establishing trust. If malicious software can use an access token secret for signing, the attacker who controls the software can impersonate the user. Or if malicious software can reveal the secret to an attacker, the attacker can run software elsewhere that impersonates the user's device. On Aug 20, 9:00 am, Sunir <su...@freshbooks.com> wrote: > It's insufficient to provide a key for each device, since the key can > be cloned by an attacker and used on another device. e.g. if you gave > Alice the consumer key AlicesPhone for her mobile, she could give her > key to Bob and he can use it on his mobile and pretend to be Alice. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
