On 6/21/23 2:19 AM, Raghu Saxena wrote:
Unfortunately I don't think it is remotely possible to educate the general public enough about Oauth and why using a browser to authenticate is important. The RFC even recommends "in app browsers", which are not secure at all. I mean after all, TikTok was previously injecting JS into websites via their website to log keystrokes "for debugging purposes" (Ref: https://www.macrumors.com/2022/08/18/felix-krause-in-app-browser-javascript-tool/) People are trusting in general, and Oauth via a native app looks natural enough, that it is trivial to phish credentials in such a manner. In fact there are quite convincing Steam phishing attacks that seem to be prompting for Oauth, but they actually just generate a "browser window" in the fake website via pure CSS/JS. Anyway, I don't think an RFC can really solve it, since Oauth 2.0 is already everywhere.
I agree that the horse has long escaped the barn, but making a BCP makes it sound like the horse is still there. IETF can make the BCP historic though and better it should document how flawed OAUTH and its assumptions are in the real world. It's amazing to me that it isn't exploited more in the real world. Or maybe it is and we just don't know about it. Yet. The powers that be didn't care when I first brought this up, and they will probably not care this time around either.
Mike
