Hi, During my tests of the Facebook OAuth2.0 implementation I have discovered a vulnerability which I first thought was due to bad implementation. However, after reporting it to them and analyzing the official specification, including the PKCE standard, I have realized that this attack can be used against any OAuth2.0 current specification. I have encountered this email on http://www.rfc-editor.org/info/rfc7636 so I have wanted to make sure whether this is the place to securely report this flow (Which may lead to compromise of access tokens on every OAuth2.0 mobile implementation)? And if not, who can I contact about this?
Thanks, Michael
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
