On 2010-03-08, at 6:39 PM, Ethan Jewett wrote: > Request hijacking: I actually significantly understated the protection > against request hijacking that that the HMAC-SHA1 method of OAuth 1.0a > provides. In the worst case, a MITM can hijack a request but cannot > change the request method, URL, query parameters, nonce, or timestamp. > In the best case (a single-part form-encoded request body or a request > consisting only of query parameters), the MITM cannot modify the > request at all because it is fully signed. It is not true, as Dick > contends, that a MITM who has captured a signed OAuth 1.0a request can > use a signed access token as if it were a bearer token. It is far more > limited in the worst case, and useless in the best case.
After reviewing the 3.4 of draft-hammer-oauth I see that the query string is part of the string being signed, minimizing the attack surface. Thanks for pointing out my misunderstanding. -- Dick _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
