How we hacked Facebook with OAuth2 and Chrome bugs - security-dev - Jboss List Archives

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

How we hacked Facebook with OAuth2 and Chrome bugs

Android Developers Blog: Using...

Dependency of idm/impl on config...

Bruno Oliveira

Wednesday, 20 February 2013 Wed, 20 Feb '13

5:36 a.m.

A quite interesting article about OAuth2: http://homakov.blogspot.com.br/2013/02/hacking-facebook-with-oauth2-and-c... -- "The measure of a man is what he does with power" - Plato - @abstractj - Volenti Nihil Difficile

Attachments:

attachment.html (text/html — 400 bytes)

Reply

Show replies by date

Bill Burke

Wednesday, 20 February Wed, 20 Feb

7:09 a.m.

This seems like a problem with Facebook's implementation. If the OAuth 2 Provider is exclusively access code access and requires confidential clients I don't see how any of the hacks can work. This is why in our OAuth 2 implementation (Resteasy), we don't allow any of the public and insecure options for OAuth2 and everything is confidential. On 2/20/2013 6:36 AM, Bruno Oliveira wrote:

A quite interesting article about OAuth2: http://homakov.blogspot.com.br/2013/02/hacking-facebook-with-oauth2-and-c... -- "The measure of a man is what he does with power" - Plato - @abstractj - Volenti Nihil Difficile _______________________________________________ security-dev mailing list security-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/security-dev

-- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com

Reply

4292

days inactive

4292

days old

security-dev@lists.jboss.org

Manage subscription

1 comments

2 participants

tags (0)

participants (2)

Bill Burke
Bruno Oliveira