My understanding is, at present, that OAuth consumers are not impacted by this issue.
On Wed, Apr 22, 2009 at 13:29, Dossy Shiobara <[email protected]> wrote: > > On 4/22/09 4:27 PM, Alex Payne wrote: >> >> In cooperation with this consortium of other OAuth providers >> (including Yahoo!, Google, Netflix, etc.), we agreed not to disclose >> the nature of the vulnerability, nor even that a vulnerability >> existed, until all members of the group agreed to do so. I apologize >> for what must have seemed unnecessarily tight-lipped communication >> around this issue, but please understand that we and the other >> companies involved are trying to mitigate the impact of this >> vulnerability as much as possible. > > Can you at least disclose whether OAuth _consumers_ who leave their OAuth > callback endpoints up are exposing themselves to risk? > > -- > Dossy Shiobara | [email protected] | http://dossy.org/ > Panoptic Computer Network | http://panoptic.com/ > "He realized the fastest way to change is to laugh at your own > folly -- then you can let go and quickly move on." (p. 70) > -- Alex Payne - API Lead, Twitter, Inc. http://twitter.com/al3x
