Hacker News new | past | comments | ask | show | jobs | submit login

Maybe I'm missing something but isn't every single "social login" effectively using OAuth for auth?



Yes. Some apps without sensitive info can do it, but that's it.


So in other words StackOverflow etc (i.e. all non-trivial apps that support third-party login via OAuth) are all broken from a security POV?


In one way or another. Most are vulnerable to bugs in standard (see sakurity.com/oauth) but every single one depends on central authority which is just stupid for auth.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: