Categories: Privacy, Social Engineering, Vulnerabilities, Web Security

Comments (2)

  1. Chris
    1

    Could this problem be solved with public/private key cryptography? When Facebook gives you back a token, could they encrypt the token with the legitimate application’s public key, such that the legitimate application would be the only entity in a position to decrypt the token with their own private key.

  2. Franco
    2

    Facebook, Google, etc. are still usable if you log in directly, but Paypal’s whole business model depends on openid and oauth. When you use Paypal to buy something, you click on a link in the seller’s page, which requires OAuth in order to pay for the item via Paypal.
    I hope that means that Paypal will step up and try to do something about this.

Comments are closed.