Moved here to help discuss.
> 3.1.2.4. Invalid Endpoint: Comment on "open redirector": "How many people > even know what the heck an open redirector is? I think we need a section in > the security considerations section that defines what an open redirector is > and why it's bad. Alternatively a normative reference to a complete > definition somewhere else is also fine." Added new section and reference to it: 10.15. Open Redirectors The authorization server authorization endpoint and the client redirection endpoint can be improperly configured and operate as open redirectors. An open redirector is an endpoint using a parameter to automatically redirect a user-agent to the location specified by the parameter value without any validation. Open redirectors can be used in phishing attacks to get end-users to visit malicious sites by making the URI's authority look like a familiar and trusted destination. In addition, if the authorization server allows the client to register only part of the redirection URI, an attacker can use an open redirector operated by the client to construct a redirection URI that will pass the authorization server validation but will send the authorization code or access token to an endpoint under the control of the attacker.
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
