OAuth WRAP Security Skeptics Speak Out

Earlier this week, I began a discussion on security flaws in OAuth.


OAuth WRAP is supposed be more simple than OAuth. But that doesn't necessarily mean that it's better, as Ben Adida wrote on his Benlog blog:


"The 'access token,' which grants your client the ability to make API calls on a user's behalf, is protected by SSL rather than by a shared secret and signature scheme."


However, he added:


"What's going to happen when someone 'forgets to turn on SSL,' which is all too common when security is abstracted out 'somewhere down in the stack.' Or when we stop dealing with those pesky certificate errors and just choose not to validate the cert, which will leave the protocol wide open to network attackers who can now literally play man-in-the-middle just by spoofing DNS on a wifi network, capturing the token, and replaying it to access all sorts of additional resources, effectively stealing the user's credentials."


Ben Laurie added on his blog that while simple security protocols are certainly attractive, they are wrong.


"Clearly the way forward for OAuth is not to dumb it down to the point where any[one] can implement it; the way forward is to write libraries that implement a properly secure version, and have everyone use them."

Add Comment      Leave a comment on this blog post

Post a comment





(Maximum characters: 1200). You have 1200 characters left.



Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.