Categories: Privacy, Social Engineering, Vulnerabilities, Web Security

Comments (2)

  1. Chris

    Could this problem be solved with public/private key cryptography? When Facebook gives you back a token, could they encrypt the token with the legitimate application’s public key, such that the legitimate application would be the only entity in a position to decrypt the token with their own private key.

  2. Franco

    Facebook, Google, etc. are still usable if you log in directly, but Paypal’s whole business model depends on openid and oauth. When you use Paypal to buy something, you click on a link in the seller’s page, which requires OAuth in order to pay for the item via Paypal.
    I hope that means that Paypal will step up and try to do something about this.

Comments are closed.