The most amazing thing about this is that it took them so long to think of this attack. It's a pretty simple idea. Is it really possible that so many major companies implemented this spec without even thinking it through?
Please feel free to point out if I'm wrong on this, but I don't quite understand why this cannot be solved by stiffening up some of the requirements for the callback portion of the authorization sequence.<p>For instance, the Provider could return two tokens with the callback: the original request token (to identify which request the callback is for) and a second "callback" token. To obtain an access token, the consumer would have to provide both the original access token as well as the callback token. Since the callback is issued as a redirect to the user, it wouldn't be possible for an outsider to discover the value of that callback token (I don't think?).<p>To provide additional security, I would think you could drop the request token from the callback URL altogether, and force the consumer to save the request token in a user session or cookie.<p>Well, I'm sure it's not as simple as this but I'd be interested in hearing why not, if that's the case.