The HTTP Referrer check won't work if the Consumer's domain is a social
networking site, and the attacker posted the authorization link to the
victim's wall.
Allen
Manger, James H wrote:
> A (temporary) fix might be for Service Providers to check the HTTP
> Referer request header when Users a
On 4/24/09 3:25 AM, Manger, James H wrote:
> A (temporary) fix might be for Service Providers to check the HTTP
> Referer request header when Users arrives at the authorization URI.
This is a non-starter as users behind anonymizing web proxies are screwed.
--
Dossy Shiobara | do...
This is good suggestion for specific consumers. I think we might be
able to use it for our internal consumers.
However, it's a challenge to figure out valid referrer for a consumer.
Some of our consumers have multiple domains (yes, they all share the
same consumer key).
Zhihong
On Apr 24, 3:25
From: oauth@googlegroups.com [oa...@googlegroups.com] On Behalf Of Josh Fraser
[joshf...@gmail.com]
Sent: 24 April 2009 17:41
To: OAuth
Subject: [oauth] Re: OAuth Security Issue: Referer
It's a good idea. The problem is that it's trivial to fake a referrer
header. All you need to do is
It's a good idea. The problem is that it's trivial to fake a referrer
header. All you need to do is tinyurl a link (to avoid suspicion)
that redirects you to the authorization url via a proxy that adds the
expected referrer header.
On Apr 24, 1:25 am, "Manger, James H"
wrote:
> A (temporary)