Invision Community 4: SEO, prepare for v5 and dormant account notifications By Matt Monday at 02:04 PM
Clover13 Posted May 2, 2014 Posted May 2, 2014 Here we go again... http://www.cnet.com/news/serious-security-flaw-in-oauth-and-openid-discovered/
Grumpy Posted May 2, 2014 Posted May 2, 2014 I don't really see this akin to heartbleed bug, or even serious. That was something you can exploit vs anyone from anywhere. This is no different than a hacked website + abusing the very notion of using a 3rd party login. Also, it's not as big of a deal as the article makes it look like. Things like facebook login works on a whitelist domain. Many of the 3rd party connect uses callbacks that are set on their application setting rather than the connection source (your server). It negates the issues of sending the info to the wrong place in the first place. Though, if your site is already hacked, then you're screwed anyway. The problem is far too generalized and appears as a problem but most of these services have one type of solution or the other already in place. It's a not a technical flaw, but the very essence of allowing someone else to access your data via connect-like systems.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.