Hi OAuthers:
XARA (Cross App Resource Access) paper was gaining interest here in Japan
today because of the Register article[1].
I went over the attack description in the full paper [2].
The paper presents four kinds of vulnerabilities.
1. Password Stealing (Keychain)
2. Container Cracking
PKCE solves a subset of this, but not the general case. It doesn't solve the
FB example in the paper where the FB token is passed between apps locally.
It is a clear win for the OAuth code flow for example though.
On Thursday, June 18, 2015 7:31 AM, Nat Sakimura
wrote:
Hi OAuthers
Yup. Obviously, PKCE is for Code Flow and do not deal with Implicit flow.
The best bet probably is stop using Implicit flow for passing tokens around
among apps, unless token is capable of being sender confirmed.
Nat
2015-06-18 23:47 GMT+09:00 Bill Mills :
> PKCE solves a subset of this, but not
Passing the FB token between apps on the device is not a real use of the
implicit flow, Facebook may be reusing the pattern in an insecure way.
The NAPPS WG at the OIDF recognized that was insecure a long time ago. We are
looking to use the S256 pkce transform to secure similar sorts of on devi
Just a FYI, the issue addressed in this draft hit the media this week as a
result of this paper
https://drive.google.com/file/d/0BxxXk1d3yyuZOFlsdkNMSGswSGs/view
The attack we have been discussing is in Section 3.4.
John B.
> On Jun 11, 2015, at 5:06 PM, Hannes Tschofenig
> wrote:
>
> Sounds
There are other bits of sensitive info that might pass via redirect and be
intercepted due to the scheme handler insecurity. It's not just OAuth or other
such tokens, although they are significant.
On Thursday, June 18, 2015 10:25 AM, John Bradley
wrote:
Passing the FB token betw
