Hi Breno and Ethan,
but in theory, in a powerful scenario, if the intruder is also able of
intercept the first redirect (when the consumer redirects the user to
the service provider) and change the request token with the one gived
for the his initial session of the protocol, and than create the link
for the victim with this request token ("the link" like that present
in the attack at the core 1.0), after when the user have to come back
to the consumer, if the intruder is able to intercept this message and
so the oauth_verifier gived to the victim by the service provider, now
is the intruder the correct user that have to login in the callback
url of the consumer, because is the intruder that initiated the flow.
All this if nobody use SSL. Thus is there the necessity of SSL or are
there others aspects that prevent this attack?
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"OAuth" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [email protected]
For more options, visit this group at http://groups.google.com/group/oauth?hl=en
-~----------~----~----~----~------~----~------~--~---
