In this article, John Bielich and Khash Kiani introduce OAuth, and demonstrate one type of approach in which a malicious native client application can compromise sensitive end-user data.
Earlier this year, Khash posted a paper entitled: "Four Attacks on OAuth — How to Secure Your OAuth Implementation" that introduced a common protocol flow, with specific examples and a few insecure implementations. For more information about the protocol, various use cases and key concepts, please refer to the mentioned post and any other freely available OAuth resources on the web.
This article assumes that the readers are familiar with the detailed principles behind OAuth, and that they know how to make GET and POST requests over HTTPS. However, we will still
This article briefly introduces an emerging open-protocol technology, OAuth, and presents scenarios and examples of how insecure implementations of OAuth can be abused maliciously. We examine the characteristics of some of these attack vectors, and discuss ideas on countermeasures against possible attacks on users or applications that have implemented this protocol.
An Introduction to the Protocol
OAuth is an emerging authorization standard that is being adopted by a growing number of sites such as Twitter, Facebook, Google, Yahoo!, Netflix, Flickr, and several other Resource Providers and social networking sites. It is an open-web specification for organizations to access protected resources on each other's web sites. This is achieved by allowing users to grant a third-party application access to their protected content without having to provide that application with their credentials.
Unlike Open ID, which is a federated