Skip to main content

OAuth

Handful of OAuth bugs combine for GitHub session theft

posted onFebruary 10, 2014
by l33tdawg

Chaining together five low security bugs has allowed Russian security researcher Egor Homakov to steal user sessions and increase the scope of OAuth tokens from GitHub, giving Homakov the ability to access and delete private GitHub repositories and Gists.

Detailing the process of linking the five bugs together in a blog post, Homakov called his exploit the "perfect crime".

Do OAuth tokens sustain hacking attacks?

posted onFebruary 22, 2013
by l33tdawg

‘Tis the season to be hacked, I guess. Twitter joined a bunch of other companies in revealing that it was the target of a sophisticated attack that may have exposed the information for about 250,000 users. While the data that was allegedly exposed, including encrypted/salted versions of passwords, was not as bad as in some other attacks recently, Twitter did take some proactive measures in resetting passwords (and letting the users know that they need to set a new one) and revoking session tokens.