[Dailydave] OAuth vulnerabilities, and insane partial disclosure people.
Nate Lawson
nate at root.org
Thu Apr 23 23:37:28 EDT 2009
Matthieu Suiche wrote:
> Dave... You are a very bad guy.
>
> http://groups.google.com/group/oauth/browse_thread/thread/20e12ace524dba3?pli=1
>
> "Please do not speculate or publicly discuss the actual details of this or
> other threats." said Eran
>
> Anyway, details are public now:
> http://www.hueniverse.com/hueniverse/2009/04/explaining-the-oauth-session-fixation-attack.html#more
> http://oauth.net/advisories/2009-1
The overlap between web 2.0 and cryptographers 1.0 is the empty set. See
also "rainbow tables fiasco", wherein web 2.0 redesigned password
salting, poorly.
--
Nate
More information about the Dailydave
mailing list