WeChat ID
aaronpk_tv
-
This is a good writeup on some sneaky vulnerabilities in OAuth implementations, but ultimately is just a simple access token injection attack: https://salt.security/blog/oh-auth-abusing-oauth-to-take-over-millions-of-accounts -
The deadline to submit drafts ahead of the IETF meeting in November just passed, and I submitted my last one with 30 minutes to spare! Here are all the docs I'll be discussing:
https://www.ietf.org/archive/id/draft-ietf-oauth-browser-based-apps-15.html
https://www.ietf.org/archive/id/draft-ietf-oauth-resource-metadata-01.html
https://www.ietf.org/archive/id/draft-parecki-oauth-first-party-apps-00.html
https://www.ietf.org/archive/id/draft-parecki-oauth-metadata-for-nested-flows-00.html -
OAuth for Browser-Based Apps Draft 15
After a lot of discussion on the mailing list over the last few months, and after some excellent discussions at the OAuth Security Workshop, we've been working on revising the draft to provide clearer guidance and clearer discussion of the threats and consequences of the various architectural patterns in the draft.continue reading... -
Now that @1Password launched passkey support *and* it's integrated into iOS 17 with the 1Password app, I feel like I can finally actually take the plunge and set up passkeys everywhere!
No more passwords! and the login UX is so much better too! -
It is 2023 and I am still having to explain the dangers of the OAuth Implicit Flow because I am still finding current documentation suggesting otherwise. Time to make another video to follow up on the one from 4 years ago?
-
May the 4th be with you! Brand new OAuth shirts just launched: "I find your lack of security disturbing"
Available in a variety of styles and also as a hacker hoodie!
https://shop.oauth.net/listing/lack-of-security-disturbing?product=46
-
Tomorrow Iβll be speaking at the @OReillyMedia Security Superstream at 8AM PDT with host @ChloeMessdaghi
Get up to speed on techniques & best practices related to OAuth and API security, the OWASP Top 10, & more! Register now: https://www.oreilly.com/live-events/security-superstream-application-security/0636920083707/0636920083706/
https://infosec.exchange/@ChloeMessdaghi/110186693893045342 -
-
Yet another reason why Token Exchange is dangerous π€―π±
"Bing is allowed to issue Office tokens for any logged-on user"
https://twitter.com/hillai/status/1641146523990753290 -
First #ietf116 session of the day is #OAuth complete with custom SD-JWT t-shirts π
@kristinayasuda @dfett42
-
OAuth Support in Bluesky and AT Protocol
Bluesky, a new social media platform and AT Protocol, is unsurprisingly running up against the same challenges and limitations that Flickr, Twitter and many other social media platforms faced in the 2000s: passwords!continue reading... -
another day, another account takeover caused by an open redirector and the OAuth Implicit flow π«
https://salt.security/blog/traveling-with-oauth-account-takeover-on-booking-com -
I'm a big fan of using more secure two-factor authentication methods like a security key or TouchID, but I will admit I never expected charging people to use SMS would be a viable strategy to get them off it π https://blog.twitter.com/en_us/topics/product/2023/an-update-on-two-factor-authentication-using-sms-on-twitter
-
I've given many talks about how mobile apps can't be deployed with a secret, and using Twitter's 2013 "hacks" as an example. I'm just going to leave this completely unrelated string of random characters here for no particular reason
GgDYlkSvaPxGxC4X8liwpUoqKwwr3lCADbz8A7ADU -
PSA: If you use Twitter to sign in to stuff, you should double check you have another way to get in to those accounts asap. With Twitter charging ??? for API access next week, you have no way of knowing whether the apps you use are going to pay that.
-
It's been a while since I've set up an Amazon Echo device. Do I need to come over there and teach some Amazon folks about the OAuth Device Flow? There is a better way than making me type my password on this screen!
-
It's here! My new video course "Advanced OAuth Security" is now available on Udemy!
In this course we break down the jargon in the high-security OAuth specs like PAR, JAR, JARM, DPoP, Mutual TLS, HTTP Signatures and more!
https://oauth2simplified.com/advanced-oauth
-
I've got an ad spot opening up in the new year on https://oauth.net! This is *the* hub for everything about OAuth online. Text-only ads, and usually has a high clickthrough rate!
Get in touch if you'd like to get your business in front of 150,000 people a month! -
OAuth for Browser-Based Apps Draft 12
I just published a revised version of OAuth for Browser-Based Apps based on the feedback and discussion at IETF 115 London!continue reading... -
The Laws of OAuth
The first law of OAuth states that the total number of authorized access tokens must remain constant in an isolated system.continue reading...
