SlideShare a Scribd company logo

IIW 27 Wednesday Session 3

Download as PPTX, PDF
Bjorn Hjelm
Bjorn Hjelm

Discussion on best practices for managing OAuth 2.0 Access Tokens (or how to avoid being the next victim after Facebook).

Internet
1 of 3
Best Practices for Managing (OAuth 2.0) Access Tokens Or How to Avoid Being the Next Victim after Facebook Bjorn Hjelm
Background The Facebook data breach reported end of this September involved attackers obtaining access tokens for Facebook users. According to Facebook1, the vulnerability was the result of the interaction of the following three bugs: • First: For one type of composer (enabling people to wish their friends happy birthday) View As incorrectly provided the opportunity to post a video. • Second: The video uploader incorrectly generated an access token that had the permissions of the Facebook mobile app. • Third: When the video uploader appeared as part of View As, it generated the access token not for you as the viewer, but for the user that you were looking up. 1https://newsroom.fb.com/news/2018/09/security-update/#details
Discussion • What are the best practices for when designing and granting Access Tokens? • Guidance from “Access Token Privilege Restriction” in IETF draft “OAuth 2.0 Security Best Current Practice”2? • “The privileges associated with an access token SHOULD be restricted to the minimum required for the particular application or use case. This prevents clients from exceeding the privileges authorized by the resource owner. It also prevents users from exceeding their privileges authorized by the respective security policy.“ • Other or additional suggestions or proposals? 2 draft-ietf-oauth-security-topics, https://datatracker.ietf.org/doc/draft-ietf-oauth-security-topics/

Recommended

The Corporate Web Security Landscape
The Corporate Web Security LandscapeThe Corporate Web Security Landscape
The Corporate Web Security Landscape
Peter Wood
 
SOCIAL NETWORK SECURITY
SOCIAL NETWORK SECURITYSOCIAL NETWORK SECURITY
SOCIAL NETWORK SECURITY
MarketingatBahrain
 
Security threats in social networks
Security threats in social networksSecurity threats in social networks
Security threats in social networks
Tannistho Ghosh
 
Social Networking Security Issues
Social Networking Security IssuesSocial Networking Security Issues
Social Networking Security Issues
Mangesh Gunjal
 
How Safe Is YOUR Social Network?
How Safe Is YOUR Social Network?How Safe Is YOUR Social Network?
How Safe Is YOUR Social Network?
Blue Coat
 
Experience Sharing on School Pentest Project (Updated)
Experience Sharing on School Pentest Project (Updated)Experience Sharing on School Pentest Project (Updated)
Experience Sharing on School Pentest Project (Updated)
eLearning Consortium 電子學習聯盟
 
Social media and Security risks
Social media and Security risksSocial media and Security risks
Social media and Security risks
Parakum Pathirana
 
Chapter 4
Chapter 4Chapter 4
Chapter 4
NorazlinaAbdullah4
 

Recommended

The Corporate Web Security Landscape
The Corporate Web Security LandscapeThe Corporate Web Security Landscape
The Corporate Web Security Landscape
Peter Wood
 
SOCIAL NETWORK SECURITY
SOCIAL NETWORK SECURITYSOCIAL NETWORK SECURITY
SOCIAL NETWORK SECURITY
MarketingatBahrain
 
Security threats in social networks
Security threats in social networksSecurity threats in social networks
Security threats in social networks
Tannistho Ghosh
 
Social Networking Security Issues
Social Networking Security IssuesSocial Networking Security Issues
Social Networking Security Issues
Mangesh Gunjal
 
How Safe Is YOUR Social Network?
How Safe Is YOUR Social Network?How Safe Is YOUR Social Network?
How Safe Is YOUR Social Network?
Blue Coat
 
Experience Sharing on School Pentest Project (Updated)
Experience Sharing on School Pentest Project (Updated)Experience Sharing on School Pentest Project (Updated)
Experience Sharing on School Pentest Project (Updated)
eLearning Consortium 電子學習聯盟
 
Social media and Security risks
Social media and Security risksSocial media and Security risks
Social media and Security risks
Parakum Pathirana
 
Chapter 4
Chapter 4Chapter 4
Chapter 4
NorazlinaAbdullah4
 
Information Security Engineering
Information Security EngineeringInformation Security Engineering
Information Security Engineering
Md. Hasan Basri (Angel)
 
Cyber security awareness for end users
Cyber security awareness for end usersCyber security awareness for end users
Cyber security awareness for end users
NetWatcher
 
System failure
System failureSystem failure
System failurechrispaul8676
 
How to Like Social Media Network Security
How to Like Social Media Network SecurityHow to Like Social Media Network Security
How to Like Social Media Network Security
Brian Honan
 
Mobile Security: The 5 Questions Modern Organizations Are Asking
Mobile Security: The 5 Questions Modern Organizations Are AskingMobile Security: The 5 Questions Modern Organizations Are Asking
Mobile Security: The 5 Questions Modern Organizations Are Asking
Lookout
 
Mobile security
Mobile securityMobile security
Mobile security
Tapan Khilar
 
Computer Network Security
Computer Network SecurityComputer Network Security
Computer Network Security
Bryley Systems Inc.
 
Social media and security essentials.pptx
Social media and security essentials.pptxSocial media and security essentials.pptx
Social media and security essentials.pptxPink Elephant
 
Security Basics Webinar
Security Basics WebinarSecurity Basics Webinar
Security Basics Webinar
TechSoup
 
Can You Steal From Me Now? Mobile and BYOD Security Risks
Can You Steal From Me Now? Mobile and BYOD Security RisksCan You Steal From Me Now? Mobile and BYOD Security Risks
Can You Steal From Me Now? Mobile and BYOD Security Risks
Michael Davis
 
Bl cybersecurity z_dooly
Bl cybersecurity z_doolyBl cybersecurity z_dooly
Bl cybersecurity z_dooly
zdooly
 
Social media security
Social media securitySocial media security
Social media security
n|u - The Open Security Community
 
Social media risk
Social media riskSocial media risk
Social media risk
Mosoco Ltd
 
Security threats
Security threatsSecurity threats
Security threats
Qamar Farooq
 
It security training
It security trainingIt security training
It security traininggethumamaravi
 
Cyber security ppt
Cyber security pptCyber security ppt
Cyber security ppt
CH Asim Zubair
 
Finding things out on the Web
Finding things out on the WebFinding things out on the Web
Finding things out on the WebMiles Berry
 
Privacy issues in social networking
Privacy issues in social networkingPrivacy issues in social networking
Privacy issues in social networking
Bryan Tran
 
Dos and Don'ts of Internet Security
Dos and Don'ts of Internet SecurityDos and Don'ts of Internet Security
Dos and Don'ts of Internet Security
Quick Heal Technologies Ltd.
 
Where To Start When Your Environment is Fucked
Where To Start When Your Environment is FuckedWhere To Start When Your Environment is Fucked
Where To Start When Your Environment is Fucked
Amanda Berlin
 
Security_PPT.pptx
Security_PPT.pptxSecurity_PPT.pptx
Security_PPT.pptx
BHARATGupta323808
 
Infocom Security
Infocom SecurityInfocom Security
Infocom Security
mmavis
 

More Related Content

What's hot

Information Security Engineering
Information Security EngineeringInformation Security Engineering
Information Security Engineering
Md. Hasan Basri (Angel)
 
Cyber security awareness for end users
Cyber security awareness for end usersCyber security awareness for end users
Cyber security awareness for end users
NetWatcher
 
How to Like Social Media Network Security
How to Like Social Media Network SecurityHow to Like Social Media Network Security
How to Like Social Media Network Security
Brian Honan
 
Mobile Security: The 5 Questions Modern Organizations Are Asking
Mobile Security: The 5 Questions Modern Organizations Are AskingMobile Security: The 5 Questions Modern Organizations Are Asking
Mobile Security: The 5 Questions Modern Organizations Are Asking
Lookout
 
Mobile security
Mobile securityMobile security
Mobile security
Tapan Khilar
 
Computer Network Security
Computer Network SecurityComputer Network Security
Computer Network Security
Bryley Systems Inc.
 
Social media and security essentials.pptx
Social media and security essentials.pptxSocial media and security essentials.pptx
Social media and security essentials.pptxPink Elephant
 
Security Basics Webinar
Security Basics WebinarSecurity Basics Webinar
Security Basics Webinar
TechSoup
 
Can You Steal From Me Now? Mobile and BYOD Security Risks
Can You Steal From Me Now? Mobile and BYOD Security RisksCan You Steal From Me Now? Mobile and BYOD Security Risks
Can You Steal From Me Now? Mobile and BYOD Security Risks
Michael Davis
 
Bl cybersecurity z_dooly
Bl cybersecurity z_doolyBl cybersecurity z_dooly
Bl cybersecurity z_dooly
zdooly
 
Social media security
Social media securitySocial media security
Social media security
n|u - The Open Security Community
 
Social media risk
Social media riskSocial media risk
Social media risk
Mosoco Ltd
 
Security threats
Security threatsSecurity threats
Security threats
Qamar Farooq
 
It security training
It security trainingIt security training
It security traininggethumamaravi
 
Cyber security ppt
Cyber security pptCyber security ppt
Cyber security ppt
CH Asim Zubair
 
Finding things out on the Web
Finding things out on the WebFinding things out on the Web
Finding things out on the WebMiles Berry
 
Privacy issues in social networking
Privacy issues in social networkingPrivacy issues in social networking
Privacy issues in social networking
Bryan Tran
 
Dos and Don'ts of Internet Security
Dos and Don'ts of Internet SecurityDos and Don'ts of Internet Security
Dos and Don'ts of Internet Security
Quick Heal Technologies Ltd.
 
Where To Start When Your Environment is Fucked
Where To Start When Your Environment is FuckedWhere To Start When Your Environment is Fucked
Where To Start When Your Environment is Fucked
Amanda Berlin
 

What's hot (20)

Information Security Engineering
Information Security EngineeringInformation Security Engineering
Information Security Engineering
 
Cyber security awareness for end users
Cyber security awareness for end usersCyber security awareness for end users
Cyber security awareness for end users
 
System failure
System failureSystem failure
System failure
 
How to Like Social Media Network Security
How to Like Social Media Network SecurityHow to Like Social Media Network Security
How to Like Social Media Network Security
 
Mobile Security: The 5 Questions Modern Organizations Are Asking
Mobile Security: The 5 Questions Modern Organizations Are AskingMobile Security: The 5 Questions Modern Organizations Are Asking
Mobile Security: The 5 Questions Modern Organizations Are Asking
 
Mobile security
Mobile securityMobile security
Mobile security
 
Computer Network Security
Computer Network SecurityComputer Network Security
Computer Network Security
 
Social media and security essentials.pptx
Social media and security essentials.pptxSocial media and security essentials.pptx
Social media and security essentials.pptx
 
Security Basics Webinar
Security Basics WebinarSecurity Basics Webinar
Security Basics Webinar
 
Can You Steal From Me Now? Mobile and BYOD Security Risks
Can You Steal From Me Now? Mobile and BYOD Security RisksCan You Steal From Me Now? Mobile and BYOD Security Risks
Can You Steal From Me Now? Mobile and BYOD Security Risks
 
Bl cybersecurity z_dooly
Bl cybersecurity z_doolyBl cybersecurity z_dooly
Bl cybersecurity z_dooly
 
Social media security
Social media securitySocial media security
Social media security
 
Social media risk
Social media riskSocial media risk
Social media risk
 
Security threats
Security threatsSecurity threats
Security threats
 
It security training
It security trainingIt security training
It security training
 
Cyber security ppt
Cyber security pptCyber security ppt
Cyber security ppt
 
Finding things out on the Web
Finding things out on the WebFinding things out on the Web
Finding things out on the Web
 
Privacy issues in social networking
Privacy issues in social networkingPrivacy issues in social networking
Privacy issues in social networking
 
Dos and Don'ts of Internet Security
Dos and Don'ts of Internet SecurityDos and Don'ts of Internet Security
Dos and Don'ts of Internet Security
 
Where To Start When Your Environment is Fucked
Where To Start When Your Environment is FuckedWhere To Start When Your Environment is Fucked
Where To Start When Your Environment is Fucked
 

Similar to IIW 27 Wednesday Session 3

Security_PPT.pptx
Security_PPT.pptxSecurity_PPT.pptx
Security_PPT.pptx
BHARATGupta323808
 
Infocom Security
Infocom SecurityInfocom Security
Infocom Security
mmavis
 
Malware goes to the movies
Malware goes to the moviesMalware goes to the movies
Malware goes to the movies
Aleksandr Yampolskiy
 
Zoom: Privacy and Security - A case study
Zoom: Privacy and Security - A case studyZoom: Privacy and Security - A case study
Zoom: Privacy and Security - A case study
Adri Jovin
 
web 3 poerpoint presentation in simple words and the evolution of web
web 3 poerpoint presentation in simple words and the evolution of webweb 3 poerpoint presentation in simple words and the evolution of web
web 3 poerpoint presentation in simple words and the evolution of web
achuarjunnattakom
 
Tik tok owner to use blockchain technology
Tik tok owner to use blockchain technologyTik tok owner to use blockchain technology
Tik tok owner to use blockchain technology
Blockchain Council
 
A4.1Proceedings of Student-Faculty Research Day, CSIS, Pa.docx
A4.1Proceedings of Student-Faculty Research Day, CSIS, Pa.docx A4.1Proceedings of Student-Faculty Research Day, CSIS, Pa.docx
A4.1Proceedings of Student-Faculty Research Day, CSIS, Pa.docx
joyjonna282
 
2010 Exemptions for the DMCA: What's New
2010 Exemptions for the DMCA: What's New2010 Exemptions for the DMCA: What's New
2010 Exemptions for the DMCA: What's New
zsrlibrary
 
How the Tubes are Strangling Their Owners: Consumer Rights Bill 2014
How the Tubes are Strangling Their Owners: Consumer Rights Bill 2014How the Tubes are Strangling Their Owners: Consumer Rights Bill 2014
How the Tubes are Strangling Their Owners: Consumer Rights Bill 2014
Chris Marsden
 
Privacy on the internet presentation_kf_final
Privacy on the internet presentation_kf_finalPrivacy on the internet presentation_kf_final
Privacy on the internet presentation_kf_final
Karen Fraser
 
Social Media Application Development
Social Media Application DevelopmentSocial Media Application Development
Social Media Application Development
Harbinger Systems - HRTech Builder of Choice
 
Security presentation
Security presentationSecurity presentation
Security presentationSmart Mirror
 
Certes webinar securing the frictionless enterprise
Certes webinar securing the frictionless enterpriseCertes webinar securing the frictionless enterprise
Certes webinar securing the frictionless enterprise
Jason Bloomberg
 
Why Building Your Ship (Application) with Raw Materials is a Bad Idea!.pptx
Why Building Your Ship (Application) with Raw Materials is a Bad Idea!.pptxWhy Building Your Ship (Application) with Raw Materials is a Bad Idea!.pptx
Why Building Your Ship (Application) with Raw Materials is a Bad Idea!.pptx
Jamie Coleman
 
Insecure trends in web technologies 2009
Insecure trends in web technologies 2009Insecure trends in web technologies 2009
Insecure trends in web technologies 2009
Chandrakanth Narreddy
 
VOCI Final Presentation
VOCI Final PresentationVOCI Final Presentation
VOCI Final Presentation
Elisabeth Brooks
 
Facebook Fights Fake News Shop Talk
Facebook Fights Fake News Shop TalkFacebook Fights Fake News Shop Talk
Facebook Fights Fake News Shop Talk
SMED Tests
 
Open Source Insight: Securing IoT, Atlanta Ransomware Attack, Congress on Cyb...
Open Source Insight: Securing IoT, Atlanta Ransomware Attack, Congress on Cyb...Open Source Insight: Securing IoT, Atlanta Ransomware Attack, Congress on Cyb...
Open Source Insight: Securing IoT, Atlanta Ransomware Attack, Congress on Cyb...
Black Duck by Synopsys
 

Similar to IIW 27 Wednesday Session 3 (20)

Security_PPT.pptx
Security_PPT.pptxSecurity_PPT.pptx
Security_PPT.pptx
 
Infocom Security
Infocom SecurityInfocom Security
Infocom Security
 
Malware goes to the movies
Malware goes to the moviesMalware goes to the movies
Malware goes to the movies
 
Zoom: Privacy and Security - A case study
Zoom: Privacy and Security - A case studyZoom: Privacy and Security - A case study
Zoom: Privacy and Security - A case study
 
web 3 poerpoint presentation in simple words and the evolution of web
web 3 poerpoint presentation in simple words and the evolution of webweb 3 poerpoint presentation in simple words and the evolution of web
web 3 poerpoint presentation in simple words and the evolution of web
 
Tik tok owner to use blockchain technology
Tik tok owner to use blockchain technologyTik tok owner to use blockchain technology
Tik tok owner to use blockchain technology
 
A4.1Proceedings of Student-Faculty Research Day, CSIS, Pa.docx
A4.1Proceedings of Student-Faculty Research Day, CSIS, Pa.docx A4.1Proceedings of Student-Faculty Research Day, CSIS, Pa.docx
A4.1Proceedings of Student-Faculty Research Day, CSIS, Pa.docx
 
2010 Exemptions for the DMCA: What's New
2010 Exemptions for the DMCA: What's New2010 Exemptions for the DMCA: What's New
2010 Exemptions for the DMCA: What's New
 
Facebook
FacebookFacebook
Facebook
 
How the Tubes are Strangling Their Owners: Consumer Rights Bill 2014
How the Tubes are Strangling Their Owners: Consumer Rights Bill 2014How the Tubes are Strangling Their Owners: Consumer Rights Bill 2014
How the Tubes are Strangling Their Owners: Consumer Rights Bill 2014
 
Privacy on the internet presentation_kf_final
Privacy on the internet presentation_kf_finalPrivacy on the internet presentation_kf_final
Privacy on the internet presentation_kf_final
 
Social Media Application Development
Social Media Application DevelopmentSocial Media Application Development
Social Media Application Development
 
Security presentation
Security presentationSecurity presentation
Security presentation
 
Certes webinar securing the frictionless enterprise
Certes webinar securing the frictionless enterpriseCertes webinar securing the frictionless enterprise
Certes webinar securing the frictionless enterprise
 
Why Building Your Ship (Application) with Raw Materials is a Bad Idea!.pptx
Why Building Your Ship (Application) with Raw Materials is a Bad Idea!.pptxWhy Building Your Ship (Application) with Raw Materials is a Bad Idea!.pptx
Why Building Your Ship (Application) with Raw Materials is a Bad Idea!.pptx
 
Insecure trends in web technologies 2009
Insecure trends in web technologies 2009Insecure trends in web technologies 2009
Insecure trends in web technologies 2009
 
VOCI Final Presentation
VOCI Final PresentationVOCI Final Presentation
VOCI Final Presentation
 
Written-Articles
Written-ArticlesWritten-Articles
Written-Articles
 
Facebook Fights Fake News Shop Talk
Facebook Fights Fake News Shop TalkFacebook Fights Fake News Shop Talk
Facebook Fights Fake News Shop Talk
 
Open Source Insight: Securing IoT, Atlanta Ransomware Attack, Congress on Cyb...
Open Source Insight: Securing IoT, Atlanta Ransomware Attack, Congress on Cyb...Open Source Insight: Securing IoT, Atlanta Ransomware Attack, Congress on Cyb...
Open Source Insight: Securing IoT, Atlanta Ransomware Attack, Congress on Cyb...
 

More from Bjorn Hjelm

MODRNA WG Update - Oct 2023
MODRNA WG Update - Oct 2023MODRNA WG Update - Oct 2023
MODRNA WG Update - Oct 2023
Bjorn Hjelm
 
MODRNA WG Update - Apr 2023
MODRNA WG Update - Apr 2023MODRNA WG Update - Apr 2023
MODRNA WG Update - Apr 2023
Bjorn Hjelm
 
MODRNA WG Update - Nov 2022
MODRNA WG Update - Nov 2022MODRNA WG Update - Nov 2022
MODRNA WG Update - Nov 2022
Bjorn Hjelm
 
MODRNA WG update - OpenID Foundation Workshop at EIC 2022
MODRNA WG update - OpenID Foundation Workshop at EIC 2022MODRNA WG update - OpenID Foundation Workshop at EIC 2022
MODRNA WG update - OpenID Foundation Workshop at EIC 2022
Bjorn Hjelm
 
MODRNA WG Update - Apr. 2022
MODRNA WG Update - Apr. 2022MODRNA WG Update - Apr. 2022
MODRNA WG Update - Apr. 2022
Bjorn Hjelm
 
MODRNA WG update - OpenID Foundation Workshop at EIC 2021
MODRNA WG update - OpenID Foundation Workshop at EIC 2021 MODRNA WG update - OpenID Foundation Workshop at EIC 2021
MODRNA WG update - OpenID Foundation Workshop at EIC 2021
Bjorn Hjelm
 
MODRNA WG Update - Dec 2021
MODRNA WG Update - Dec 2021MODRNA WG Update - Dec 2021
MODRNA WG Update - Dec 2021
Bjorn Hjelm
 
MODRNA WG Update - April 2021
MODRNA WG Update - April 2021MODRNA WG Update - April 2021
MODRNA WG Update - April 2021
Bjorn Hjelm
 
MODRNA WG Overview - October 2020
MODRNA WG Overview - October 2020MODRNA WG Overview - October 2020
MODRNA WG Overview - October 2020
Bjorn Hjelm
 
OpenID Foundation MODRNA WG Update
OpenID Foundation MODRNA WG UpdateOpenID Foundation MODRNA WG Update
OpenID Foundation MODRNA WG Update
Bjorn Hjelm
 
OpenID Foundation MODRNA WG Overview
OpenID Foundation MODRNA WG OverviewOpenID Foundation MODRNA WG Overview
OpenID Foundation MODRNA WG Overview
Bjorn Hjelm
 
Development of 5G IAM Architecture
Development of 5G IAM ArchitectureDevelopment of 5G IAM Architecture
Development of 5G IAM Architecture
Bjorn Hjelm
 
OpenID Foundation MODRNA WG overview at EIC 2019
OpenID Foundation MODRNA WG overview at EIC 2019OpenID Foundation MODRNA WG overview at EIC 2019
OpenID Foundation MODRNA WG overview at EIC 2019
Bjorn Hjelm
 
Development of 5G IAM Architecture
Development of 5G IAM ArchitectureDevelopment of 5G IAM Architecture
Development of 5G IAM Architecture
Bjorn Hjelm
 
OpenID Foundation MODRNA WG Overview (Apr. 2019)
OpenID Foundation MODRNA WG Overview (Apr. 2019)OpenID Foundation MODRNA WG Overview (Apr. 2019)
OpenID Foundation MODRNA WG Overview (Apr. 2019)
Bjorn Hjelm
 
An Overview of the interface of MODRNA and GSMA Mobile Connect
An Overview of the interface of MODRNA and GSMA Mobile ConnectAn Overview of the interface of MODRNA and GSMA Mobile Connect
An Overview of the interface of MODRNA and GSMA Mobile Connect
Bjorn Hjelm
 
Overview of the OpenID Foundation's Mobile Profile of OpenID Connect MODRNA WG
Overview of the OpenID Foundation's Mobile Profile of OpenID Connect MODRNA WGOverview of the OpenID Foundation's Mobile Profile of OpenID Connect MODRNA WG
Overview of the OpenID Foundation's Mobile Profile of OpenID Connect MODRNA WG
Bjorn Hjelm
 
OpenID Connect: The Mobile Profile
OpenID Connect: The Mobile ProfileOpenID Connect: The Mobile Profile
OpenID Connect: The Mobile Profile
Bjorn Hjelm
 
Mobile Network Operators and Identity – Crossing the Chasm
Mobile Network Operators and Identity – Crossing the ChasmMobile Network Operators and Identity – Crossing the Chasm
Mobile Network Operators and Identity – Crossing the Chasm
Bjorn Hjelm
 
NSTIC Panel on Mobile-based Identity and Access Management
NSTIC Panel on Mobile-based Identity and Access ManagementNSTIC Panel on Mobile-based Identity and Access Management
NSTIC Panel on Mobile-based Identity and Access Management
Bjorn Hjelm
 

More from Bjorn Hjelm (20)

MODRNA WG Update - Oct 2023
MODRNA WG Update - Oct 2023MODRNA WG Update - Oct 2023
MODRNA WG Update - Oct 2023
 
MODRNA WG Update - Apr 2023
MODRNA WG Update - Apr 2023MODRNA WG Update - Apr 2023
MODRNA WG Update - Apr 2023
 
MODRNA WG Update - Nov 2022
MODRNA WG Update - Nov 2022MODRNA WG Update - Nov 2022
MODRNA WG Update - Nov 2022
 
MODRNA WG update - OpenID Foundation Workshop at EIC 2022
MODRNA WG update - OpenID Foundation Workshop at EIC 2022MODRNA WG update - OpenID Foundation Workshop at EIC 2022
MODRNA WG update - OpenID Foundation Workshop at EIC 2022
 
MODRNA WG Update - Apr. 2022
MODRNA WG Update - Apr. 2022MODRNA WG Update - Apr. 2022
MODRNA WG Update - Apr. 2022
 
MODRNA WG update - OpenID Foundation Workshop at EIC 2021
MODRNA WG update - OpenID Foundation Workshop at EIC 2021 MODRNA WG update - OpenID Foundation Workshop at EIC 2021
MODRNA WG update - OpenID Foundation Workshop at EIC 2021
 
MODRNA WG Update - Dec 2021
MODRNA WG Update - Dec 2021MODRNA WG Update - Dec 2021
MODRNA WG Update - Dec 2021
 
MODRNA WG Update - April 2021
MODRNA WG Update - April 2021MODRNA WG Update - April 2021
MODRNA WG Update - April 2021
 
MODRNA WG Overview - October 2020
MODRNA WG Overview - October 2020MODRNA WG Overview - October 2020
MODRNA WG Overview - October 2020
 
OpenID Foundation MODRNA WG Update
OpenID Foundation MODRNA WG UpdateOpenID Foundation MODRNA WG Update
OpenID Foundation MODRNA WG Update
 
OpenID Foundation MODRNA WG Overview
OpenID Foundation MODRNA WG OverviewOpenID Foundation MODRNA WG Overview
OpenID Foundation MODRNA WG Overview
 
Development of 5G IAM Architecture
Development of 5G IAM ArchitectureDevelopment of 5G IAM Architecture
Development of 5G IAM Architecture
 
OpenID Foundation MODRNA WG overview at EIC 2019
OpenID Foundation MODRNA WG overview at EIC 2019OpenID Foundation MODRNA WG overview at EIC 2019
OpenID Foundation MODRNA WG overview at EIC 2019
 
Development of 5G IAM Architecture
Development of 5G IAM ArchitectureDevelopment of 5G IAM Architecture
Development of 5G IAM Architecture
 
OpenID Foundation MODRNA WG Overview (Apr. 2019)
OpenID Foundation MODRNA WG Overview (Apr. 2019)OpenID Foundation MODRNA WG Overview (Apr. 2019)
OpenID Foundation MODRNA WG Overview (Apr. 2019)
 
An Overview of the interface of MODRNA and GSMA Mobile Connect
An Overview of the interface of MODRNA and GSMA Mobile ConnectAn Overview of the interface of MODRNA and GSMA Mobile Connect
An Overview of the interface of MODRNA and GSMA Mobile Connect
 
Overview of the OpenID Foundation's Mobile Profile of OpenID Connect MODRNA WG
Overview of the OpenID Foundation's Mobile Profile of OpenID Connect MODRNA WGOverview of the OpenID Foundation's Mobile Profile of OpenID Connect MODRNA WG
Overview of the OpenID Foundation's Mobile Profile of OpenID Connect MODRNA WG
 
OpenID Connect: The Mobile Profile
OpenID Connect: The Mobile ProfileOpenID Connect: The Mobile Profile
OpenID Connect: The Mobile Profile
 
Mobile Network Operators and Identity – Crossing the Chasm
Mobile Network Operators and Identity – Crossing the ChasmMobile Network Operators and Identity – Crossing the Chasm
Mobile Network Operators and Identity – Crossing the Chasm
 
NSTIC Panel on Mobile-based Identity and Access Management
NSTIC Panel on Mobile-based Identity and Access ManagementNSTIC Panel on Mobile-based Identity and Access Management
NSTIC Panel on Mobile-based Identity and Access Management
 

Recently uploaded

JAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdfJAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
Javier Lasa
 
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
keoku
 
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
cuobya
 
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Brad Spiegel Macon GA
 
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdfMeet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Florence Consulting
 
Bài tập unit 1 English in the world.docx
Bài tập unit 1 English in the world.docxBài tập unit 1 English in the world.docx
Bài tập unit 1 English in the world.docx
nhiyenphan2005
 
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
CIOWomenMagazine
 
1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...
JeyaPerumal1
 
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
ufdana
 
7 Best Cloud Hosting Services to Try Out in 2024
7 Best Cloud Hosting Services to Try Out in 20247 Best Cloud Hosting Services to Try Out in 2024
7 Best Cloud Hosting Services to Try Out in 2024
Danica Gill
 
[HUN][hackersuli] Red Teaming alapok 2024
[HUN][hackersuli] Red Teaming alapok 2024[HUN][hackersuli] Red Teaming alapok 2024
[HUN][hackersuli] Red Teaming alapok 2024
hackersuli
 
Italy Agriculture Equipment Market Outlook to 2027
Italy Agriculture Equipment Market Outlook to 2027Italy Agriculture Equipment Market Outlook to 2027
Italy Agriculture Equipment Market Outlook to 2027
harveenkaur52
 
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
3ipehhoa
 
学位认证网(DU毕业证)迪肯大学毕业证成绩单一比一原版制作
学位认证网(DU毕业证)迪肯大学毕业证成绩单一比一原版制作学位认证网(DU毕业证)迪肯大学毕业证成绩单一比一原版制作
学位认证网(DU毕业证)迪肯大学毕业证成绩单一比一原版制作
zyfovom
 
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
zoowe
 
test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...
Arif0071
 
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
vmemo1
 
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
eutxy
 
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
3ipehhoa
 
Gen Z and the marketplaces - let's translate their needs
Gen Z and the marketplaces - let's translate their needsGen Z and the marketplaces - let's translate their needs
Gen Z and the marketplaces - let's translate their needs
Laura Szabó
 

Recently uploaded (20)

JAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdfJAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
 
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
 
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
 
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
 
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdfMeet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
 
Bài tập unit 1 English in the world.docx
Bài tập unit 1 English in the world.docxBài tập unit 1 English in the world.docx
Bài tập unit 1 English in the world.docx
 
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
 
1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...
 
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
 
7 Best Cloud Hosting Services to Try Out in 2024
7 Best Cloud Hosting Services to Try Out in 20247 Best Cloud Hosting Services to Try Out in 2024
7 Best Cloud Hosting Services to Try Out in 2024
 
[HUN][hackersuli] Red Teaming alapok 2024
[HUN][hackersuli] Red Teaming alapok 2024[HUN][hackersuli] Red Teaming alapok 2024
[HUN][hackersuli] Red Teaming alapok 2024
 
Italy Agriculture Equipment Market Outlook to 2027
Italy Agriculture Equipment Market Outlook to 2027Italy Agriculture Equipment Market Outlook to 2027
Italy Agriculture Equipment Market Outlook to 2027
 
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
 
学位认证网(DU毕业证)迪肯大学毕业证成绩单一比一原版制作
学位认证网(DU毕业证)迪肯大学毕业证成绩单一比一原版制作学位认证网(DU毕业证)迪肯大学毕业证成绩单一比一原版制作
学位认证网(DU毕业证)迪肯大学毕业证成绩单一比一原版制作
 
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
 
test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...
 
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
 
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
 
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
 
Gen Z and the marketplaces - let's translate their needs
Gen Z and the marketplaces - let's translate their needsGen Z and the marketplaces - let's translate their needs
Gen Z and the marketplaces - let's translate their needs
 

IIW 27 Wednesday Session 3

  • 1. Best Practices for Managing (OAuth 2.0) Access Tokens Or How to Avoid Being the Next Victim after Facebook Bjorn Hjelm
  • 2. Background The Facebook data breach reported end of this September involved attackers obtaining access tokens for Facebook users. According to Facebook1, the vulnerability was the result of the interaction of the following three bugs: • First: For one type of composer (enabling people to wish their friends happy birthday) View As incorrectly provided the opportunity to post a video. • Second: The video uploader incorrectly generated an access token that had the permissions of the Facebook mobile app. • Third: When the video uploader appeared as part of View As, it generated the access token not for you as the viewer, but for the user that you were looking up. 1https://newsroom.fb.com/news/2018/09/security-update/#details
  • 3. Discussion • What are the best practices for when designing and granting Access Tokens? • Guidance from “Access Token Privilege Restriction” in IETF draft “OAuth 2.0 Security Best Current Practice”2? • “The privileges associated with an access token SHOULD be restricted to the minimum required for the particular application or use case. This prevents clients from exceeding the privileges authorized by the resource owner. It also prevents users from exceeding their privileges authorized by the respective security policy.“ • Other or additional suggestions or proposals? 2 draft-ietf-oauth-security-topics, https://datatracker.ietf.org/doc/draft-ietf-oauth-security-topics/