All,

An article was recently published discussing some OAuth Redirection Attacks
to try to bypass phishing detection solutions. See the details of these
attacks in the following link:


https://www.proofpoint.com/us/blog/cloud-security/microsoft-and-github-oauth-implementation-vulnerabilities-lead-redirection


The article discusses attacks on Microsoft and GitHub, but these attacks
are not unique to these companies.

The attacks take advantage of how OAuth handles error responses, which
sends responses to the application’s redirect URL.

I would like to get the thoughts of the working group on these types of
attacks.

What is the best way to mitigate these attacks?

Do we need a new approach for handling errors with OAuth?

Regards,

 Rifaat
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to