This is a public list, so it would not be the place if confidentially disclose a vulnerability.
I think Hannes was going to set up a confidential security list. If it relates to PKCE you can contact myself or Nat as a place to start. It would be news to me if Facebook was using RFC7636. Likely they accept and ignore the parameters if you were to send it to them. I know Google has it implemented. We are finishing work on https://tools.ietf.org/html/draft-ietf-oauth-native-apps, so if you have something relevant to native app security that we are not covering now would be a good time to bring it up. Myself or William Denniss can be contacted as the editors for that. Regards John B. > On Jan 5, 2017, at 3:33 PM, Michael Reizelman <[email protected]> > wrote: > > Hi, > > During my tests of the Facebook OAuth2.0 implementation I have discovered a > vulnerability which I first thought was due to bad implementation. However, > after reporting it to them and analyzing the official specification, > including the PKCE standard, I have realized that this attack can be used > against any OAuth2.0 current specification. I have encountered this email on > http://www.rfc-editor.org/info/rfc7636 > <http://www.rfc-editor.org/info/rfc7636> so I have wanted to make sure > whether this is the place to securely report this flow (Which may lead to > compromise of access tokens on every OAuth2.0 mobile implementation)? And if > not, who can I contact about this? > > Thanks, > Michael > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
