Re: [OAUTH-WG] OAuth2 attack surface....

Mon, 25 Feb 2013 15:19:41 -0800 

Agreed, though we can't assume that there won't be other browser bugs that can 
be exploited in similar ways. 

Facebook automatically adding there debug page to the redirect URI of every 
client was...

We need to reenforce care around redirect URI, Connect is much more restrictive 
than OAuth. 

I think client registering it's response types is a good idea,  I see it is 
already in the IETF registration spec.

John B.

On 2013-02-25, at 2:58 PM, "Richer, Justin P." <[email protected]> wrote:

> From my read, it's a combination of browser bugs (it only affects Chrome) and 
> Facebook's insistence on using the Implicit flow for everything. 
> 
> While I don't at all care for the "sky is falling" rhetoric that seems to 
> follow OAuth2, the author has some good suggestions for implementations: 
> binding redirect URIs to particular flows, preference for the code flow, not 
> using a default redirect_uri on a hosted domain with user-generated content.
> 
> But all of these are implementation issues that the OAuth2 protocol can't 
> really address directly.
> 
> -- Justin
> 
> 
> On Feb 25, 2013, at 5:42 PM, William Mills <[email protected]> wrote:
> 
>> 
>> 
>> DOH!!!  
>> http://homakov.blogspot.co.uk/2013/02/hacking-facebook-with-oauth2-and-chrome.html
>> 
>> From: Phil Hunt <[email protected]>
>> To: William Mills <[email protected]> 
>> Sent: Monday, February 25, 2013 2:28 PM
>> Subject: Re: [OAUTH-WG] OAuth2 attack surface....
>> 
>> Whats the link?
>> 
>> Phil
>> 
>> Sent from my phone.
>> 
>> On 2013-02-25, at 14:22, William Mills <[email protected]> wrote:
>> 
>>> I think this is worth a read, I don't have time to dive into this :(
>>> _______________________________________________
>>> OAuth mailing list
>>> [email protected]
>>> https://www.ietf.org/mailman/listinfo/oauth
>> 
>> 
>> 
>> 
>> _______________________________________________
>> OAuth mailing list
>> [email protected]
>> https://www.ietf.org/mailman/listinfo/oauth
> 
> _______________________________________________
> OAuth mailing list
> [email protected]
> https://www.ietf.org/mailman/listinfo/oauth

Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to