At which point should people consider not using a technology which has been repeatedly exploited and start using something where security has been thought about from the start?
Because we all know that the article "How I hacked FB using OAuth a 3rd time"is coming...
This isn't really a generic OAuth bug though. This stems from the fact that you can trick the redirection scheme that Facebook uses into thinking that you are the legitimate owner of an application whilst using your own backend-flow URL.
This isn't going to affect 99.999% of Oauth implementations and arguably just shows that Facebook made an error in their design.
> trick the redirection scheme that Facebook uses into thinking that you are
> the legitimate owner of an application whilst using your own backend-flow URL
Thanks for this summary which demonstrates the importance of both effective communication skills and reading comprehension since I didn't come up with anything close from my dash through the blog post.
