I posted to my blog about a significant implementation flaw made by people using Facebook's OAuth 2 implementation.
I understand that Facebook is fixing it in there own code, but many clients are exploitable. For those interested. http://www.thread-safe.com/2012/04/followup-on-oauth-facebook-login.html The flaw is not in the spec but in implementations. John B. On 2012-04-17, at 4:45 PM, Stephen Farrell wrote: > > Hi all, > > A recent news article [1] was brought to my attention this week > that's about a paper [2] which I've just read. While it mostly > deals with implementation and integration flaws, I'm wondering > if there's anything in there that could benefit any of the > oauth drafts. Anyone had a look at that already? > > Be interesting if any similar analysis has been done on any > oauth 1.0 or 2.0 sites or implementations. > > Ta, > S. > > [1] http://www.itbusiness.ca/it/client/en/CDN/News.asp?id=66741 > [2] https://research.microsoft.com/pubs/160659/websso-final.pdf > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
