Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
IIW 27 Wednesday Session 3
1. Best Practices for Managing
(OAuth 2.0) Access Tokens
Or
How to Avoid Being the Next Victim after Facebook
Bjorn Hjelm
2. Background
The Facebook data breach reported end of this September involved
attackers obtaining access tokens for Facebook users.
According to Facebook1, the vulnerability was the result of the interaction of
the following three bugs:
• First: For one type of composer (enabling people to wish their friends happy
birthday) View As incorrectly provided the opportunity to post a video.
• Second: The video uploader incorrectly generated an access token that had the
permissions of the Facebook mobile app.
• Third: When the video uploader appeared as part of View As, it generated the
access token not for you as the viewer, but for the user that you were looking up.
1https://newsroom.fb.com/news/2018/09/security-update/#details
3. Discussion
• What are the best practices for when designing and granting Access
Tokens?
• Guidance from “Access Token Privilege Restriction” in IETF draft
“OAuth 2.0 Security Best Current Practice”2?
• “The privileges associated with an access token SHOULD be restricted to the
minimum required for the particular application or use case. This prevents
clients from exceeding the privileges authorized by the resource owner. It
also prevents users from exceeding their privileges authorized by the
respective security policy.“
• Other or additional suggestions or proposals?
2 draft-ietf-oauth-security-topics, https://datatracker.ietf.org/doc/draft-ietf-oauth-security-topics/