IETF Logo Mail Archive

[OAUTH-WG] OAuth 2 fun... for some values of fun.

William Mills <wmills_92105@yahoo.com> Fri, 04 January 2013 23:44 UTC

Return-Path: <wmills_92105@yahoo.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6D10721F8A6C for <oauth@ietfa.amsl.com>; Fri, 4 Jan 2013 15:44:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.019
X-Spam-Level:
X-Spam-Status: No, score=-1.019 tagged_above=-999 required=5 tests=[AWL=-0.280, BAYES_20=-0.74, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0Q8yexzoXlhB for <oauth@ietfa.amsl.com>; Fri, 4 Jan 2013 15:44:08 -0800 (PST)
Received: from nm1.bullet.mail.bf1.yahoo.com (nm1.bullet.mail.bf1.yahoo.com [98.139.212.160]) by ietfa.amsl.com (Postfix) with SMTP id 5C97021F8A69 for <oauth@ietf.org>; Fri, 4 Jan 2013 15:44:08 -0800 (PST)
Received: from [98.139.215.140] by nm1.bullet.mail.bf1.yahoo.com with NNFMP; 04 Jan 2013 23:44:07 -0000
Received: from [98.139.215.249] by tm11.bullet.mail.bf1.yahoo.com with NNFMP; 04 Jan 2013 23:44:07 -0000
Received: from [127.0.0.1] by omp1062.mail.bf1.yahoo.com with NNFMP; 04 Jan 2013 23:44:07 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 684303.57963.bm@omp1062.mail.bf1.yahoo.com
Received: (qmail 63106 invoked by uid 60001); 4 Jan 2013 23:44:06 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1357343046; bh=W9Yhs4p3E7RXm44PeUw6s6D4Yxf/XTE1oRXl12XcNS4=; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:Message-ID:Date:From:Reply-To:Subject:To:MIME-Version:Content-Type; b=6v+Hmg/nyvEpGNfLX8muDCJjjDSvBMzY3x9hgnT2lHl9q7EUBlAJ+SSfKAU4q5nIG5wzwovQbErz46NFnBe/bW3BxgWZhpibiHzoEhXvEAc1RUhNFq53KBbxopOZKG8d2XCZRPHbOkdprxHJHrDNWzO97JNIouNkNBydReOFvD4=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:X-Rocket-MIMEInfo:X-Mailer:Message-ID:Date:From:Reply-To:Subject:To:MIME-Version:Content-Type; b=XK8tWm6K+dYlC1Ft+vIldEsnwLpGb7HsDFQ32xecXJWeZtrGmpk8FBoMWFJmqvQpr7X5AhWEjAwx6p5iSaIpLQUwJjLaPKNSKQARn+8XmRfpNlpz/OLOcRX28noyijDdVdsE/O9mWTkGo66/PlmwxdUz6SsdBgz+WCgHsHCEXf8=;
X-YMail-OSG: DUpcXjoVM1nmPXX1XLC0.IXQLMjS_cYdp6DN8As30cwLK9B aJ4LjM3dHrucrEAYYKZhMxBm1d0LEKs4PTqBVlVwPU5TxuvuYVa4LTgvoLOK pmDT_zjzI67q1gG4t0Cgiv_.2.HMlOCeH6_LkeFkLd_.E862S9y3Y7QflfTL YQ2LUb0UdXNiYrJgr8s5q9Huzb.5ghnEwM3yaY7QX5Wp2C1F8Y3EL7_0hSWI T5lGBiLDdTqPk_jnpDsgpnLMQYiyGUshCSA6SD9MP1SYmCOUH7TybWhnCjOl PwzCHozdZAVYRHVXsXiaY8yziG4RtsXLLUDbaKwJvzHXyCITeS3ue0mrxM2u hNXdIhTCrQpTW19fUm_1NLhFqzgDxcDzR_ZHf88HxYX2_.eneSZAX7QJsfVH JWrwv7VrnDgk3nGijIB.Nu6Agzpwk.5mM7tQJ64XzkLkWcxN7Sy5z9yc2Q1b p4OfaWFDVkO_IBWcmB1Z4hJF7FVb3Wsr3hkJa6l4BHykeY_5Qzwc34B9UT3f A57RsODE64Glizsruk0MkhfqsmNb0RmGncL2gdGBPSCLVgHUFAN7BWnO5DGQ OQQjv6.zOuLRaAQ4vfjPMKt68cjgrV5vDSTmbLUvm6WRcS16hnZJelAAx9rw h4Q--
Received: from [209.131.62.145] by web31807.mail.mud.yahoo.com via HTTP; Fri, 04 Jan 2013 15:44:06 PST
X-Rocket-MIMEInfo: 001.001, RllJCgpodHRwOi8vcHJvc2VjY28uZ2ZvcmdlLmlucmlhLmZyL0NWRS9GYWNlYm9va19KU18yMDEyLmh0bWwKCgoiQXMgYSBwYXJ0IG9mIG91ciBzdHVkeSBvZiB2YXJpb3VzIHNlY3VyaXR5IGNyaXRpY2FsIEphdmFzY3JpcHQgU0RLcyB3ZSAKZGlkIGFuIGFuYWx5c2lzIG9mIHRoZSBGYWNlYm9vayBDb25uZWN0IEpTIFNESy4gU2luY2UgdGhleSB1c2UgSFRNTDUgCmJhc2VkIFBvc3RNZXNzYWdlIEFQSSB3ZSB3ZXJlIHNwZWNpZmljYWxseSBpbnRlcmVzdGVkIGluIHRoZSB3YXkgdGhlIApvcmlnaW5zIHdlcmUBMAEBAQE-
X-Mailer: YahooMailWebService/0.8.130.494
Message-ID: <1357343046.53864.YahooMailNeo@web31807.mail.mud.yahoo.com>
Date: Fri, 04 Jan 2013 15:44:06 -0800
From: William Mills <wmills_92105@yahoo.com>
To: O Auth WG <oauth@ietf.org>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="-125733401-24180489-1357343046=:53864"
Subject: [OAUTH-WG] OAuth 2 fun... for some values of fun.
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: William Mills <wmills_92105@yahoo.com>
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Jan 2013 23:44:09 -0000

FYI

http://prosecco.gforge.inria.fr/CVE/Facebook_JS_2012.html


"As a part of our study of various security critical Javascript SDKs we 
did an analysis of the Facebook Connect JS SDK. Since they use HTML5 
based PostMessage API we were specifically interested in the way the 
origins were validated. We managed to bypass the origin validation by 
exploiting 3 different bugs in their SDK."

v2.23.0 | Report a Bug | By Email