Yeah, we encountered this problem doing a binding between FB and other
accounts. We found that FB actually used a valid browser cookie rather than
serving back the needed auth page we wanted for the user. We had to work
around this by calling their un-CSRF protected sign-out link first.
It's a very real, very bad problem.
-bill
>________________________________
> From: John Bradley <ve7...@ve7jtb.com>
>To: Stephen Farrell <stephen.farr...@cs.tcd.ie>
>Cc: "oauth@ietf.org" <oauth@ietf.org>
>Sent: Tuesday, April 17, 2012 7:57 AM
>Subject: Re: [OAUTH-WG] web sso study...
>
>I posted to my blog about a significant implementation flaw made by people
>using Facebook's OAuth 2 implementation.
>
>I understand that Facebook is fixing it in there own code, but many clients
>are exploitable.
>
>For those interested.
>http://www.thread-safe.com/2012/04/followup-on-oauth-facebook-login.html
>
>The flaw is not in the spec but in implementations.
>
>John B.
>
>On 2012-04-17, at 4:45 PM, Stephen Farrell wrote:
>
>>
>> Hi all,
>>
>> A recent news article [1] was brought to my attention this week
>> that's about a paper [2] which I've just read. While it mostly
>> deals with implementation and integration flaws, I'm wondering
>> if there's anything in there that could benefit any of the
>> oauth drafts. Anyone had a look at that already?
>>
>> Be interesting if any similar analysis has been done on any
>> oauth 1.0 or 2.0 sites or implementations.
>>
>> Ta,
>> S.
>>
>> [1] http://www.itbusiness.ca/it/client/en/CDN/News.asp?id=66741
>> [2] https://research.microsoft.com/pubs/160659/websso-final.pdf
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>
>
>_______________________________________________
>OAuth mailing list
>OAuth@ietf.org
>https://www.ietf.org/mailman/listinfo/oauth
>
>
>
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
