hi Hannes, thanks for the link. It is interesting. Said that I think the attack shown there are a bit “academic” and do not reflect the real life situation. Moreover it still mention the MAC flow when AFAIK the OAuth working group decided to deviate from it. IMHO the majority of real life attacks (and I can provide many many examples taken from blog posts of people that hacked big providers such Google,Facebook, Github etc) are actually targeting two things:
- weak/incorrect validation of the redirect_uri parameter - leak of the access token . authorization code from the referrer just my 0.02 cents :) regards antonio On Oct 13, 2014, at 6:35 PM, Hannes Tschofenig <hannes.tschofe...@gmx.net> wrote: > During the OAuth conference call today I asked whether someone had > looked at this paper published at the recent Blackhat US conference and > nobody knew about it. > > Hence, I am posting it here: > > * Paper: > > https://www.blackhat.com/docs/us-14/materials/us-14-Hu-How-To-Leak-A100-Million-Node-Social-Graph-In-Just-One-Week-WP.pdf > > * Slides: > https://www.blackhat.com/docs/us-14/materials/us-14-Hu-How-To-Leak-A100-Million-Node-Social-Graph-In-Just-One-Week.pdf > > Ciao > Hannes > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
