OAuth: Looks Phishy
August 27th, 2007
Reading http://oauth.googlecode.com/svn/trunk/spec/oauth.txt: “Web-based Consumers redirect the User to the Authorization Endpoint URL.” and “Desktop-based Consumers first obtain a Single-Use Token by making a request to the API Endpoint URL then direct the User to the Authorization Endpoint URL.”
Maybe I’m missing something, but doesn’t this train users to enter their credentials into web pages they’ve been redirected to?
August 28th, 2007 at 10:09 am
It will encourage users to enter their username and password only into sites that they have accounts on. So to give a service access to my twitter account I only enter my twitter password into twitter’s servers. And even better I don’t enter it because my password is autofilled by my browser. Even better is that it can use my session cookie to verify me and then merely prompt me to ask if I want to allow this application to access my data. Best of all, if the site is using OpenID I’m only signed into my identity provider.
OAuth is only slightly less phishable by default than what has come before, but it has the potential to be way better.
August 28th, 2007 at 1:25 pm
“It will encourage users to enter their username and password only into sites that they have accounts on.”
Well, phishing preys upon that tendency.
September 10th, 2007 at 6:47 pm
The consumer (website) has to “ask the user to grant access” in order to get the user’s protected resources. OAuth does not say how the service provider is going to do that. The same way some OpenID vendors do not allow you to sign-in from a redirection, OAuth providers can ask you to first sign-in and then come back to approve access.
OAuth cannot help careless users, and phishing is all about not paying attention to what you do. The goal is to allow you to give a 3rd party access to you resources without sharing your password.
You also need to keep in mind that one of the OAuth design goals has been to keep it as simple as possible and easy to implement. If you make it too hard, those 3rd party apps will just ask for your password and screen scrap your data as they do today.
Quechup didn’t use phishing to spam everyone, they just nicely asked for your password and then abused it. They could have as easily placed a few charges to your Google Checkout account.