On Nov 2, 2023, at 16:14, Hannes Tschofenig <Hannes.Tschofenig@xxxxxxx> wrote: > > https://salt.security/blog/oh-auth-abusing-oauth-to-take-over-millions-of-accounts Not sure I like this website too much. They call OAuth (2) a “protocol”, when it really is a framework. > In this attack, from my understanding, the problem was that access token verification was not done properly. I only had time to read up to: > according to the Facebook documentation, when Vidio.com receives the access token from the user, Vidio should verify that the access token was generated to its App ID (92356) by calling the https://graph.facebook.com/debug_token API. You can’t make this one up. “debug_token”. Grüße, Carsten -- last-call mailing list last-call@xxxxxxxx https://www.ietf.org/mailman/listinfo/last-call
