Comments on: OAuth: Looks Phishy

By: Eran Hammer-Lahav

Eran Hammer-Lahav — Tue, 11 Sep 2007 02:47:11 +0000

The consumer (website) has to “ask the user to grant access” in order to get the user’s protected resources. OAuth does not say how the service provider is going to do that. The same way some OpenID vendors do not allow you to sign-in from a redirection, OAuth providers can ask you to first sign-in and then come back to approve access.

OAuth cannot help careless users, and phishing is all about not paying attention to what you do. The goal is to allow you to give a 3rd party access to you resources without sharing your password.

You also need to keep in mind that one of the OAuth design goals has been to keep it as simple as possible and easy to implement. If you make it too hard, those 3rd party apps will just ask for your password and screen scrap your data as they do today.

Quechup didn’t use phishing to spam everyone, they just nicely asked for your password and then abused it. They could have as easily placed a few charges to your Google Checkout account.

By: rsayre

rsayre — Tue, 28 Aug 2007 21:25:32 +0000

“It will encourage users to enter their username and password only into sites that they have accounts on.”

Well, phishing preys upon that tendency.

By: Ian McKellar

Ian McKellar — Tue, 28 Aug 2007 18:09:16 +0000

It will encourage users to enter their username and password only into sites that they have accounts on. So to give a service access to my twitter account I only enter my twitter password into twitter’s servers. And even better I don’t enter it because my password is autofilled by my browser. Even better is that it can use my session cookie to verify me and then merely prompt me to ask if I want to allow this application to access my data. Best of all, if the site is using OpenID I’m only signed into my identity provider.

OAuth is only slightly less phishable by default than what has come before, but it has the potential to be way better.