[Cryptography] "Covert Redirect" vulnerability in OAuth, OpenID
=JeffH
Jeff.Hodges at KingsMountain.com
Fri May 2 21:26:17 EDT 2014
> Anyone looked at the details on this one?
>
>
http://www.cnet.com/news/serious-security-flaw-in-oauth-and-openid-discovered/
It's sorta difficult to tell precisely, because the above-cited article
lacks specifics, but I'm thinking it's likely that flaw is one that's
discussed (among several others) in this paper (possibly among others [1])..
Sun, San-Tsai, Kirstie Hawkey, and Konstantin Beznosov. "Systematically
breaking and fixing OpenID security: Formal analysis, semi-automated
empirical evaluation, and practical countermeasures." Computers & Security
31, no. 4 (2012): 465-483.
http://lersse-dl.ece.ubc.ca/record/274/files/274.pdf
see for example attack A4 in S 6.1.
HTH,
=JeffH
[1]
http://scholar.google.com/scholar?q=openid+oauth+security&btnG=&hl=en&as_sdt=1%2C5
More information about the cryptography
mailing list