To me it seem hyperbolic to call it the "Achilles heel of OAuth [2.0]." Other oa... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		bjourne on March 15, 2013 \| parent \| context \| favorite \| on: Achilles Heel of OAuth or Why Facebook Adds #_=_ To me it seem hyperbolic to call it the "Achilles heel of OAuth [2.0]." Other oauth providers than Facebook are smart enough to make the redirect_uri constant. Then the attack surface is reduced from the whole of mydomain.com to mydomain.com/whatever-redirect_uri-is. For those, the attack needs to be sophisticated enough to interfere with that specific url. But if the client site is owned that hard, it's lost anyway.

homakov on March 15, 2013 [–]

client credentials threat is OAuth1 too.

bjourne on March 15, 2013 | [–]

Right, but other oauth2 providers than facebook aren't vulnerable to the redirect_uri hack you are describing, are they?

homakov on March 15, 2013 | | [–]

not sure, i didn't check all of them

also facebook is 90% of oauth

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact