jerakeen.org

links by Tom Insam

notes☴

code☷

links☲

photos☵

Explaining the OAuth Session Fixation Attack

created 23 April 2009 in links tagged oauth and security.

Wow, OAuth has a really big hole in it. How did we (I say we because I’ve been over the spec a lot, not because I’m part of anything ‘official’) miss this? Doubly alarming because I can’t think of any solutions to it that don’t involve attaching parameters to the callback url, thus screwing desktop/phone-based clients.

http://www.hueniverse.com/hueniverse/2009/04/explaining-t...

 

 

blog comments powered by Disqus