OneDrive Client written in D
Rory McGuire via Digitalmars-d-announce
digitalmars-d-announce at puremagic.com
Wed Sep 23 19:36:18 PDT 2015
I can't think of a way to do phishing with oauth2, doesn't mean it can't be
done somehow :)
Basically because you have to configure the redirect when you setup the
client_secret the server will only ever send the browser to that redirect,
a mismatch of requested redirect will just cause an error on Google Apps
for example.
Lets say this app has a redirect to localhost:1234/oauth set up during
credentials creation on the oauth server.
Then if you could get some malicious code to run at that host:port then you
could get the access token that the oauth server would think it is sending
to this app.
So yes letting everyone know your client_secret is dodgy, but actually
getting hacked because of it seems highly unlikely.
On Wed, Sep 23, 2015 at 4:51 PM, Nick Sabalausky via Digitalmars-d-announce
<digitalmars-d-announce at puremagic.com> wrote:
> On 09/23/2015 08:38 AM, Rory McGuire via Digitalmars-d-announce wrote:
>
>> Problem is right now anyone can make an app and pretend its your app, and
>> then ...
>>
>> If the user gives your keys access to their stuff so does anyone else who
>> has your keys, if they can get the oauth2 redirect to redirect to a
>> matching url at least.
>>
>>
> Isn't oauth/openid just kindof a big bundle of such phishing problems
> anyway?
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.puremagic.com/pipermail/digitalmars-d-announce/attachments/20150924/7b0a3976/attachment.html>
More information about the Digitalmars-d-announce
mailing list