Comment by mooreds
3 years ago
So it was the combination of:
* the additional redirect using the JSON object in state * the `subdomain` not being properly verified * the implicit grant being supported
Which allowed an attacker to get an access token for a user's Microsoft account.
From my reading, this seems to be entirely an issue due to an improper implementation on Harvest's side, nothing to do with Microsoft's implementation of OAuth. Am I correct?
Clearly not, or I doubt we would be reading this blog post.
I assume that for several years though, that was exactly what Microsoft thought too.
What am I missing then?
It seems pretty clear to me from reading the blog post that the issue was what I outlined (sorry for the lack of list formatting, I always forget I need an extra line after each bullet point).
Not sure what parent was talking about. You are correct. This is Harvest’s responsibility, not Microsoft’s.
1 reply →