[security-dev] How we hacked Facebook with OAuth2 and Chrome bugs
Bill Burke
bburke at redhat.com
Wed Feb 20 08:09:44 EST 2013
This seems like a problem with Facebook's implementation. If the OAuth 2
Provider is exclusively access code access and requires confidential
clients I don't see how any of the hacks can work. This is why in our
OAuth 2 implementation (Resteasy), we don't allow any of the public and
insecure options for OAuth2 and everything is confidential.
On 2/20/2013 6:36 AM, Bruno Oliveira wrote:
> A quite interesting article about OAuth2:
>
> http://homakov.blogspot.com.br/2013/02/hacking-facebook-with-oauth2-and-chrome.html
>
> --
> "The measure of a man is what he does with power" - Plato
> -
> @abstractj
> -
> Volenti Nihil Difficile
>
>
> _______________________________________________
> security-dev mailing list
> security-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/security-dev
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the security-dev
mailing list