OAuth Connect Security Issues

[jeanloop]

I recently stumbled upon several articles mentioning the possibility of hijacking existing accounts in a website that offers oauth connect. See for example here:

• http://webstersprodigy.net/2013/05/09/common-oauth-issue-you-can-use-to-take-over-accounts/
• http://homakov.blogspot.de/2014/01/two-severe-wontfix-vulnerabilities-in.html

The authors suggest several techniques to mitigate these issues. One option is to require the user to enter the current password again before connecting an existing account with some oauth account (no option when connecting an account without a password, of course).

Does HWIOAuthBundle offer any protective measures to prevent these attacks? I couldn't yet figure out a way to add additional security checks apart from csrf tokens (which apparenly is broken with facebook as the second article points out).

[github-actions[bot]]

Message to comment on stale issues. If none provided, will not mark issues stale

[github-actions[bot]]

This issue was closed because it has been stalled for 5 days with no activity.