Two of my co workers have presented at HackMiami on flaws people implement in their oauth implementations. The talk summary is below
“OAuth is one of the most popular authorization frameworks in use today. All major platforms such as Google, Facebook, Box etc support it and you are probably thinking of implementing OAuth for your product/platform.We are not debating the popularity of the protocol or the limitations that come with it. We are here to help you implement it securely.
When you use OAuth, there are three pieces – The Platform , the Application (using the platform) and the User (of the application). We will go over the common flaws we have seen in applications built on a OAuth platform which can lead to complete account takeover, how they can be a security engineer’s nightmare, and how to fix them. We will go over security controls that the platform can put in place to help mitigate security vulnerabilities. We will also cover how bad design decisions, if chained with otherwise lower risk vulnerabilities can result in gaping holes in your OAuth implementation.
You will leave this session with a deep understanding of how OAuth implementation should be secured both for a platform and in an application and things to test for during a security evaluation of OAuth implementations.”