Hi OAuthers: XARA (Cross App Resource Access) paper was gaining interest here in Japan today because of the Register article[1]. I went over the attack description in the full paper [2]. The paper presents four kinds of vulnerabilities.
1. Password Stealing (Keychain) 2. Container Cracking (BundleID check bug on the part of Apple App Store) 3. IPC Interception (a. WebSocket non-authentication, and b. local oauth redirect) 4. Scheme Hijacking Of those, 3.b and 4 are relevant to us, and we kind of knew them all the way through. These are the target attack that PKCE specifically wants to address, and does address, I believe. [1] http://www.theregister.co.uk/2015/06/17/apple_hosed_boffins_drop_0day_mac_ios_research_blitzkrieg/ [2] https://sites.google.com/site/xaraflaws/ -- Nat Sakimura (=nat) Chairman, OpenID Foundation http://nat.sakimura.org/ @_nat_en
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
