[security-dev] How we hacked Facebook with OAuth2 and Chrome bugs

Bill Burke bburke at redhat.com
Wed Feb 20 08:09:44 EST 2013

This seems like a problem with Facebook's implementation. If the OAuth 2 
Provider is exclusively access code access and requires confidential 
clients I don't see how any of the hacks can work. This is why in our 
OAuth 2 implementation (Resteasy), we don't allow any of the public and 
insecure options for OAuth2 and everything is confidential.

On 2/20/2013 6:36 AM, Bruno Oliveira wrote:
> A quite interesting article about OAuth2:
> http://homakov.blogspot.com.br/2013/02/hacking-facebook-with-oauth2-and-chrome.html
> --
> "The measure of a man is what he does with power" - Plato
> -
> @abstractj
> -
> Volenti Nihil Difficile
> _______________________________________________
> security-dev mailing list
> security-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/security-dev

Bill Burke
JBoss, a division of Red Hat

More information about the security-dev mailing list