Explaining the OAuth Session Fixation Attack

created 23 April 2009 in links tagged oauth and security.

Wow, OAuth has a really big hole in it. How did we (I say we because I’ve been over the spec a lot, not because I’m part of anything ‘official’) miss this? Doubly alarming because I can’t think of any solutions to it that don’t involve attaching parameters to the callback url, thus screwing desktop/phone-based clients.

http://www.hueniverse.com/hueniverse/2009/04/explaining-t...