Earlier this week, I began a discussion on security flaws in OAuth.
OAuth WRAP is supposed be more simple than OAuth. But that doesn't necessarily mean that it's better, as Ben Adida wrote on his Benlog blog:
"The 'access token,' which grants your client the ability to make API calls on a user's behalf, is protected by SSL rather than by a shared secret and signature scheme."
However, he added:
"What's going to happen when someone 'forgets to turn on SSL,' which is all too common when security is abstracted out 'somewhere down in the stack.' Or when we stop dealing with those pesky certificate errors and just choose not to validate the cert, which will leave the protocol wide open to network attackers who can now literally play man-in-the-middle just by spoofing DNS on a wifi network, capturing the token, and replaying it to access all sorts of additional resources, effectively stealing the user's credentials."
"Clearly the way forward for OAuth is not to dumb it down to the point where any[one] can implement it; the way forward is to write libraries that implement a properly secure version, and have everyone use them."