Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

The OAuth Spec actually does address white listing redirect_uri's. This threat is discussed in section 4.1.5 of the OAuth 2.0 spec here: http://tools.ietf.org/html/draft-ietf-oauth-v2-threatmodel-0...

Oddly, Facebook has chosen not to follow this recommendation. So any websites that integrate Facebook OAuth must ensure that they contain no open-redirects or they can be hacked in this way. This is worrisome because open-redirects would not otherwise be considered much of a security problem.



Hopefully not too oddly: Facebook was one of the first OAuth 2.0 implementations and the additional benefits of requiring stricter pre-registration was not initially apparent. An unfortunate oversight. For kicks: compare section 5.2.3.5 v00 with v01

Changing the implementation at this point is a daunting task (for both Facebook and our developers) but we do hope to offer it as part of a future migration.


Interesting. I didn't know that detail but it explains a lot. Hopefully it won't be too long until you address this!


> This is worrisome because open-redirects would not otherwise be considered much of a security problem

yeah, indeed. It becomes a problem for OAuth only. And, wait, Facebook is pwned, so it's he who MUST worry, not clients

Spec is very long and has many interesting discussions but have a look at real world. neither facebook nor twitter whitelist redirect_uri




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: