[CNET New]Serious security flaw in OAuth, OpenID discovered

[niarfman]

Hi Nadeo Team,

Are you aware about the security issue concerning oAuth ? Is ManiaConnect concerned ?

Source : http://www.cnet.com/news/serious-securi ... discovered

I have configured ManiaConnect with phpBB and I will soon share the source code of my work to the community. I hope there is no risk before ^^

[Jojo_44]

There´s no problem with the Maniaplanet Web Service I think because they implemented the OAuth 2.0 standard which means you have to specify the domain of the redirect. And it´s not a security problem of OAuth or OpenId it´s because of wrong implementations of Facebook and co to make it easier for developers.

Jojo

[niarfman]

I have understood the same, and I hope we are both right

But maybe others were wondering about that and the point of vue from Nadeo is interesting.

[gouxim]

There´s no problem [...] you have to specify the domain of the redirect.

True

wrong implementations of Facebook and co to make it easier for developers

They aren't actually wrong implementations. Oauth2 rfc went through lots of drafts, and was pretty much abandonned in the end ; each provider implement a different version of the draft.

Edit: there is actually a final version (http://tools.ietf.org/html/rfc6749), so one might say they have wrong implemenations.

[niarfman]

Great work from your end

Thanks for your answer