All,
An article was recently published discussing some OAuth Redirection Attacks to try to bypass phishing detection solutions. See the details of these attacks in the following link: https://www.proofpoint.com/us/blog/cloud-security/microsoft-and-github-oauth-implementation-vulnerabilities-lead-redirection The article discusses attacks on Microsoft and GitHub, but these attacks are not unique to these companies. The attacks take advantage of how OAuth handles error responses, which sends responses to the application’s redirect URL. I would like to get the thoughts of the working group on these types of attacks. What is the best way to mitigate these attacks? Do we need a new approach for handling errors with OAuth? Regards, Rifaat
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth