Categories: Mobile Security, Vulnerabilities

Comments (2)

  1. As

    This is no oauth vulnerability,any body that had to deal with oauth implicit flow implementation server side know that he has to validate the user id sent by the client.
    Any thing sent from the client should never be trusted

  2. Alex

    I think that the key problem which they identify in that paper (having read it) is that recipients of the token were not validating the signature, and thus were unaware that the token had been tampered with. It sounds as though the ultimate recipients of the token failed to do the absolute basics, which is validate the signature of the received token.

    There are methods of forging signatures by fiddling with a JWT header or guessing poorly chosen secrets of course, but at least checking the signature would have dramatically reduced the vulnerability here.

Comments are closed.