Hacker News new | past | comments | ask | show | jobs | submit login

The client can intercept whatever URL the embedded webview is redirected to. The callback URL provides no security against this.



That's not a drive-by hijack, all bets are off when it comes to apps. For all you know the app is presenting a fake login dialog.

It would be a drive-by hijack on the web because there's a good chance you're already authenticated with Twitter and the callback cycle will automatically grant credentials on your behalf to the requester with no prompt.


Right - we were discussion OAuth in the context of client apps.


I'm pretty sure I was setting the context, and that context was the web.


Fair enough. I was referring to the larger discussion.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: