[Openid-specs-ab] OAuth implementation vulnerability
Mike Jones
Michael.Jones at microsoft.com
Wed May 15 06:20:54 UTC 2013
Can you propose concise security considerations text about the issues identified in the post? I'm almost done applying the changes agreed to in Mountain View to the specs, so the timing of adding this would be good, in terms of letting people review the text before we publish the Implementer's Drafts.
-- Mike
From: openid-specs-ab-bounces at lists.openid.net [mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf Of Nat Sakimura
Sent: Tuesday, May 14, 2013 6:33 PM
To: openid-specs-ab at lists.openid.net
Subject: [Openid-specs-ab] OAuth implementation vulnerability
You guys probably new it, but it is a good read.
http://webstersprodigy.net/2013/05/09/common-oauth-issue-you-can-use-to-take-over-accounts/
BTW, perhaps we should add x-frame-options to the spec?
Also, some tightening up in the security considerations?
I know that this is really an implementation issues but the magnitude of the attack success make me think that perhaps it is a good idea to mention them at least. I being probably the one who want to finish the spec the most...
--
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130515/1cf46be8/attachment.html>
More information about the Openid-specs-ab
mailing list