|
|
|
|
|
|
by tonywok
4432 days ago
|
|
|
I'm familiar with the oauth2 spec (rfc6749). I can't find enough details to actually understand the claimed vulnerability. Does it a specific flow? It sounds like the Implicit Grant (http://tools.ietf.org/html/rfc6749#section-4.2) > Covert Redirect flaw uses the real site address for authentication. That is so vague. Are they claiming the attacker is hijacking the redirect_uri parameter? Are they saying that these third parties aren't comparing the redirect_uri? I can't think of a oauth2 server I've interacted with as a developer that hasn't required you to register a redirect_uri. Anyone have more details? |
|
|