tag:blogger.com,1999:blog-37305442.post1089800552343695960..comments2024-03-27T00:15:03.948-07:00Comments on thái: Flickr's API Signature Forgery VulnerabilityUnknownnoreply@blogger.comBlogger2125tag:blogger.com,1999:blog-37305442.post-7028902813584075022009-09-30T12:51:11.411-07:002009-09-30T12:51:11.411-07:00Thanks for the very clear explanation! That's...Thanks for the very clear explanation! That's incredible that these services deployed the cryptography in such an obviously broken way. The problems with this type of way for authenticating messages have been known for decades, exactly as you say.David Wagnerhttp://www.cs.berkeley.edu/~daw/noreply@blogger.comtag:blogger.com,1999:blog-37305442.post-67794951911609456342009-09-28T14:39:07.814-07:002009-09-28T14:39:07.814-07:00Thanks for the clear and concise write up. This vu...Thanks for the clear and concise write up. This vulnerability has been known for some time, and is specifically addressed in OAuth (which is derived partially from Flickr's approach).<br /><br />If you'd like to lend your eyes to the OAuth Working Group at the IETF, any help identifying potential security problems would be greatly appreciated. Discussions are currently happening on the OAuth WG list, here: https://www.ietf.org/mailman/listinfo/oauthAnonymoushttps://www.blogger.com/profile/12260514541117400711noreply@blogger.com