Hi!, I have read through the paper, and what they consider a flaw in OAuth 2 is the fact that for the implicit grant flow the access token is sent to the client through the User Agent, and thus the User Agent can intercept it. What they find is that "social network provider X" allows the implicit grant flow for clients that normally use the authorization code flow. This makes it possible for and attacker to construct an implicit flow request and obtain an access token issued for the client, and this access token might incorrectly be considered as for a confidential client by the provider.
But the issue here is with the provider, which treats the same client as both public and private, and not with OAuth 2. The paper also takes issue with the fact that an API that is authorized with OAuth 2 exposes more data than what is normally presented to the user when browsing at provider X. This is not an issue with OAuth 2. They also take issue with the fact that the provider does not throttle API calls, so it is possible to make a crawler, using access tokens issued for a registered client but through the implicit flow, and *authorized by a resource owner complicit with the attackers / crawler builders*, to scrape large amounts of data from the provider. Data that users might not think to be so "publicly accessible". I think that this is dealt with in https://tools.ietf.org/html/rfc6749#section-10.1, https://tools.ietf.org/html/rfc6749#section-10.2, and by RFC 6819 5.2.3.2. Require User Consent for Public Clients without Secret https://tools.ietf.org/html/rfc6819#page-60 Cheers, Adam Renberg (first time poster :)) On Oct 13, 2014 6:35 PM, "Hannes Tschofenig" <[email protected]> wrote: > During the OAuth conference call today I asked whether someone had > looked at this paper published at the recent Blackhat US conference and > nobody knew about it. > > Hence, I am posting it here: > > * Paper: > > > https://www.blackhat.com/docs/us-14/materials/us-14-Hu-How-To-Leak-A100-Million-Node-Social-Graph-In-Just-One-Week-WP.pdf > > * Slides: > > https://www.blackhat.com/docs/us-14/materials/us-14-Hu-How-To-Leak-A100-Million-Node-Social-Graph-In-Just-One-Week.pdf > > Ciao > Hannes > > > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth > >
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
