OAuth doesn’t stop phishing.
Look, I love OAuth. It’s amazing. You should be using it if you aren’t. But it doesn’t really help against phishing attacks.
The attack against an OAuth-enabled service is the same as an attack against an OpenID provider is the same as a normal phishing attack.
Here’s what an evil site does:
- You go to Evil Site. It looks like a compelling service, so you take the steps to authorize your Twitter account on it (say, click an ‘Add Twitter Functionality’ button or something).
- Evil Site redirects you to a page that looks exactly like the Twitter login screen but is, in fact, under their control.
- You enter your username and password to login. Your account is now compromised. They have your credentials. Rather than showing you a big “HAHAH, we haxored you!” screen, though, they probably go through the usual process - “Allow Evil Site to access your Twitter information” and the like.
- You are redirected back to Evil Site, which either continues the charade, shows a fake error page, whatever. It doesn’t really matter, your account is compromised.
OAuth doesn’t stop phishing!
That in no way means that you shouldn’t use OAuth, though. It prevents the password antipattern, which means that the minute you stop trusting a (legitimate) site, you can prevent them from accessing your account. Rather than handing out your credentials to the first good looking site that asks for them, you provide a way for sites to access your data - you don’t give them your identity.
Use OAuth! But just keep in mind that it doesn’t solve everything.
