> Another example I mentioned earlier is when the client does > not expose the protected resources back to the bearer of the > code. For example, a Twitter application sending you emails > when someone stops following you. Since all it does is get > the code and then uses it internally (no user login > functionality), TLS adds NOTHING.
I'm not sure I understand the example. Would the attacker be able to get emails when someone stops following the user? Would that be OK? Anyway, an application that accesses Twitter on the user's behalf is likely to be able to send tweets on the user's behalf. The attacks we've been discussing would allow the attacker to send tweets on the user's behalf. That's definitely not cool. User impersonation when Oauth is used for social login is not the only consequence of not requiring TSL for the callback endpoint. Francisco
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
