IdP Mix-up Attack on OAuth [RFC6749]

On Sunday 10, 2016, OAuth Security Advisory: Authorization Server Mix-Up was issued. Nov Matake wrote an excellent article about it in Japanese. To help understand the readers of the attack, I am translating the portion of his blog post explaining the attack with his permission, then expand on it. Assumptions The attacker can proxy the non-TLS-protected […]

Public Review of UMA 0.9 is going on

June 24: The three main UMA Version 0.9 specifications – UMA Core , OAuth Resource Set Registration , and UMA Claim Profiles  – are out for a45-day public review period ending September 6 at 17:00 Pacific time. This review is in preparation for advancement of these specs as Kantara Initiative Recommendations. If you have specification comments or IPR review comments, be sure to follow the commenting […]

New vulnerability on OpenSSL found

A new bug in OpenSSL was found by Masashi Kikuchi of Lepidum. It affects all versions of OpenSSL earlier than 1.0.1. For details, please refer to: and

Is Facebook “Like” button tracking you?

Since I am using it on this blog also, I probably should not talk loudly, but I feel creepy about the Facebook “Like” button. If you go to a site with the “Like” button when you are logged into Facebook, a Cookie like below gets sent. csm=2; xs=3:2bPC2V….; datar=eVE7TanyekLi2UeCWqCdYaUo; fr=0PBQNPwSEhxk3vCRg.RVUkbgel9qAjCByqVqRQ0lSpntc; lu=The17FfNt9Yc_hqg8eoWG04B; s=Ba98fsjdlw-QWvPeofj.BP_Wqm; c_user=1048138174; act=134500423456/1:0; sub=1; […]