26. September 2010 · Comments Off on OAuth 2.0 security used by Facebook, others called weak · Categories: Authentication

OAuth 2.0 security used by Facebook, others called weak.

OAuth 2.0 is sweeping through the industry, becoming the standard method of authentication across multiple web applications/sites. Other methods such as SAML and WS-Security are losing out because they are too difficult for web developers to learn and use.

Unfortunately, there is a growing opinion that in an effort to make OAuth 2.0 simple for developers to use, security was compromised.

The main concern is that rather than using digital signatures to assure that the “tokens” transmitted between sites are not tampered with, the sites simply connect to each other via SSL, which is susceptible to man-in-the-middle attacks.

Eran Hammer-Lahav, Yahoo’s director of standards development and one of the creators of OAuth said:

“It is clear that once discovery is used, clients will be manipulated to send their tokens to the wrong place, just like people are phished. Any solution based solely on a policy enforced by the client is doomed.”