After Two Fixes, OAuth Standard Deemed Secure

An anonymous reader writes: OAuth 2.0 is one of the most used single sign-on systems on the web: it is used by Facebook, Google, Microsoft, GitHub and other big Internet companies. A group of researchers from University of Trier, Germany, have performed the first formal security analysis of the OAuth 2.0 standard, and have discovered two previously unknown attacks that could be mounted to break authorization and authentication in OAuth. However, says the article, "[w]ith these problems solved, the researchers ultimately concluded that OAuth 2.0 is secure enough to provide both authorization and authentication -- if implemented correctly."

Summary wrong, not secure

[phantomfive]

The problems haven't been fixed yet, the summary would be more accurate to say:

"[w]ith these problems solved, the researchers ultimately concluded that OAuth 2.0 WOULD BE secure enough to provide both authorization and authentication -- if implemented correctly."

The problems they found were two man-in-the-middle attacks. One of them is kind of silly: it uses an HTTP 307 redirect to redirect the login request to a malicious server. The malicious server will be given the user's credentials.

Bull

[Etherwalk]

Oauth 2.0 will never be "secure enough" until it is very, very hard to implement it *incorrectly*.

Right now there are a lot of modules out there to integrate Oauth 2 into your website, and you can re-use a lot of your code from old projects, but there is no single trivial way to make your website secure. So long as that's the case, people are going to screw it up. LOTS of people are going to screw it up. Especially when they're being paid to deliver a marketable website, and nobody outside of a few key market sectors are going to pay for serious security auditing. Or, you know... any security auditing.