Hi. I would ask you a thing about the unguessable parameter
oauth_verifier.
In the attack at the core 1.0 specification the intruder not have to
intercept anything but only constructs a link for the victim.
In the new version of the protocol core 1.0A, when the service
provider redirects the user to the consumer with the parameter
oauth_verifier, if an intruder intercepts this message with the
oauth_verifier, since the message is in clear, cannot the intruder use
the oauth_verifier and come back him to the consumer for continue a
previous session of the protocol, realizing an attack similar to the
that found in the core 1.0 specification? Is there the assumption that
the message in the redirection (from the user to the consumer) is not
intercepted?
Sure the attack is more difficult than the first one because now are
need some interceptions, but is possible, or not?
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"OAuth" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [email protected]
For more options, visit this group at http://groups.google.com/group/oauth?hl=en
-~----------~----~----~----~------~----~------~--~---
