Thanks for the info, As I read it, this is an attack on Java Script callbacks.
The information tying it to OAuth is not clear. Is the issue relating to JS people using the implicit flow and the JS loaded from the client somehow being vulnerable? Or is this happening in the JS after authorization in calls to other resources from the same origin, and it is just coincidence that people are using OAuth. Understanding if there is any Oauth specific advice to give would be helpful. I see there are ways to prevent the SOME exploit. Regards John B. > On Jun 24, 2015, at 4:18 PM, Antonio Sanso <asa...@adobe.com> wrote: > > hi *, just sharing. > > Not directly related to OAuth per se but it exploits several OAuth client > endpoints due to some common developers pattern > http://www.benhayak.com/2015/06/same-origin-method-execution-some.html > (concrete example in > http://www.benhayak.com/2015/05/stealing-private-photo-albums-from-Google.html) > > regards > > antonio > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
