PDA

View Full Version : So how safe is oath?



Michael Mullan
13-Nov-2016, 09:03 PM
https://threatpost.com/oauth-2-0-hack-exposes-1-billion-mobile-apps-to-account-hijacking/121889/

looks like the chinese have busted it.

Mike Peat
14-Nov-2016, 03:46 AM
Mike

The issue here is not actually OAuth 2.0, but sloppy implementations of it on the back-end. What (if I am understanding that article correctly) is supposed to happen is that each user request (with an access token) is validated with the Authentication server before being processed by the Information server (the actual service). Some implementers seem to have been sloppy about that, thus leaving them vulnerable.

There have been question marks over the entire OAuth 2.0 architecture, but I don't think this is one of them.

Mike

Nils G. Svedmyr
14-Nov-2016, 03:54 AM
Thanks Michael for the link.

This is a quote from the link that caught my eye and I wonder if it relates to how oAuth has been implemented for DataFlex;

"Further, the researchers recommend identity providers issue private identifiers rather than relying on global identifiers"

Anyone can shed some light on this?

Mike Peat
14-Nov-2016, 06:07 AM
Nils

We are not (as yet anyway) providers. We are merely clients. These are not our issues to address.

The DataFlex OAuth 2.0 component is about consuming OAuth 2.0 protected resources - how those are managed behind the scenes is beyond our control.

Mike

Nils G. Svedmyr
14-Nov-2016, 07:30 AM
Hi Mike,

OK, thanks for the info! As you might have guessed I haven't been using oAuth as of yet.

Michael Mullan
14-Nov-2016, 08:53 AM
Thanks Mike!


We are not (as yet anyway) providers. We are merely clients. These are not our issues to address.

This is actually the piece of information I needed to have.