Feed Sign in with OpenID OpenID

Simon Willison’s Weblog

OAuth Security Advisory 2009.1. It’s a show-stopper: an attacker can start an OAuth permission request flow from a consumer site, then trick another user from the same site in to completing that flow and hence authorising the attacker to act on their behalf. A fix to the spec is forthcoming; in the meantime, don’t start an OAuth flow from an untrusted location.

Posted 23rd April 2009 at 3:06 pm

Tagged , ,

2 comments

  1. The description by Eran Hammer-Lahav is also quite informative.

    Adam Lowry - 23rd April 2009 17:30 - #

  2. Why would anyone ever start an OAuth flow from an untrusted location? >:(

    Jeremy Dunck - 23rd April 2009 20:10 - #

Sign in with OpenID

Auto-HTML: Line breaks are preserved; URLs will be converted in to links.

Manual XHTML: Enter your own, valid XHTML. Allowed tags are a, p, blockquote, ul, ol, li, dl, dt, dd, em, strong, dfn, code, q, samp, kbd, var, cite, abbr, acronym, sub, sup, br, pre

A django site