subject:"\[OAUTH\-WG\] Same Origin Method Execution \(SOME\)"

Re: [OAUTH-WG] Same Origin Method Execution (SOME)

2015-07-07 Thread Kim, William G

at Sakimura mailto:sakim...@gmail.com>> Cc: "mailto:oauth@ietf.org>>" mailto:oauth@ietf.org>> Subject: Re: [OAUTH-WG] Same Origin Method Execution (SOME) Right, even though it’s not an OAuth problem, it’s a problem that is more likely to come up and cause damage in situatio

Re: [OAUTH-WG] Same Origin Method Execution (SOME)

2015-06-29 Thread Phil Hunt

Or maybe another wg should address (http)? Phil > On Jun 29, 2015, at 08:36, Justin Richer wrote: > > Right, even though it’s not an OAuth problem, it’s a problem that is more > likely to come up and cause damage in situations that OAuth brings about (the > pop-up redirect page that Nat menti

Re: [OAUTH-WG] Same Origin Method Execution (SOME)

2015-06-29 Thread Justin Richer

Right, even though it’s not an OAuth problem, it’s a problem that is more likely to come up and cause damage in situations that OAuth brings about (the pop-up redirect page that Nat mentions). So, just like the advice to use the system browser on mobile platforms, I think it’d be good to have ac

Re: [OAUTH-WG] Same Origin Method Execution (SOME)

2015-06-29 Thread Nat Sakimura

Year, from my skimming of the paper, it requires a page that executes arbitrary callback function given as a parameter. It is absolutely stupid to do it, but apparently there are such pages. Prime candidate happens to be OAuth Redirection Endpoint. By itself, it probably will not do much harm becau

Re: [OAUTH-WG] Same Origin Method Execution (SOME)

2015-06-29 Thread Nat Sakimura

s/Year/Yeah/ 2015-06-30 0:22 GMT+09:00 Nat Sakimura : > Year, from my skimming of the paper, it requires a page that executes > arbitrary callback function given as a parameter. > It is absolutely stupid to do it, but apparently there are such pages. > Prime candidate happens to be OAuth Redirect

Re: [OAUTH-WG] Same Origin Method Execution (SOME)

2015-06-25 Thread Antonio Sanso

hi John On Jun 25, 2015, at 1:42 AM, John Bradley mailto:ve7...@ve7jtb.com>> wrote: Thanks for the info, As I read it, this is an attack on Java Script callbacks. The information tying it to OAuth is not clear. Is the issue relating to JS people using the implicit flow and the JS loaded from

Re: [OAUTH-WG] Same Origin Method Execution (SOME)

2015-06-24 Thread John Bradley

Thanks for the info, As I read it, this is an attack on Java Script callbacks. The information tying it to OAuth is not clear. Is the issue relating to JS people using the implicit flow and the JS loaded from the client somehow being vulnerable? Or is this happening in the JS after authorizat

[OAUTH-WG] Same Origin Method Execution (SOME)

2015-06-24 Thread Antonio Sanso

hi *, just sharing. Not directly related to OAuth per se but it exploits several OAuth client endpoints due to some common developers pattern http://www.benhayak.com/2015/06/same-origin-method-execution-some.html (concrete example in http://www.benhayak.com/2015/05/stealing-private-photo-album

Re: [OAUTH-WG] Same Origin Method Execution (SOME)

Re: [OAUTH-WG] Same Origin Method Execution (SOME)

Re: [OAUTH-WG] Same Origin Method Execution (SOME)

Re: [OAUTH-WG] Same Origin Method Execution (SOME)

Re: [OAUTH-WG] Same Origin Method Execution (SOME)

Re: [OAUTH-WG] Same Origin Method Execution (SOME)

Re: [OAUTH-WG] Same Origin Method Execution (SOME)

[OAUTH-WG] Same Origin Method Execution (SOME)

8 matches

Site Navigation

Mail list logo

Footer information