Recent media attention around “Covert Redirects” has stirred new concerns over an already identified weakness in OAuth 2.0 implementations. So if the weakness is not new, why do we keep hearing about it? OAuth 2.0 is a framework that when implemented correctly can be very secure but many developers do not understand or adhere to the specification and best practices for secure implementation. When implemented poorly, the resultant vulnerabilities can be a treasure chest of data exposure and session hijacking attack vectors. We’ll explore common mistakes in implementing OAuth2.0 and how they can be exploited. Use of OAuth has expanded well beyond its early implementations in social media platforms and is becoming increasingly common in enterprise development so we’ll delve into specific attack vectors that result. Of course we’ll also cover the design and remediation strategies that help prevent those common implementation flaws.

Back to GrrCON 2014 video list