Create a security consideration/note on A. Cuckoo’s Token Attack (FAPI 1.0)

Comments (7)

1. 

   Nat Sakimura reporter

   • edited description

   • 2022-07-21T06:20:07+00:00
2. 

   Joseph Heenan

   It is mentioned in the security considerations, https://openid.net/specs/openid-financial-api-part-2-1_0.html#access-token-phishing which says:

   An attacker could try to trick a client under his control to make use of the access token as described in [FAPISEC] ("Cuckoo's Token Attack" and "Access Token Injection with ID Token Replay"), but these attacks additionally require a rogue AS or misconfigured token endpoint.

   ‌

   • 2022-07-22T10:04:07+00:00
3. 

   Nat Sakimura reporter

   The same kind of thing needs to be documented in FAPI 2.0.

   • 2022-07-27T14:32:20+00:00
4. 

   Nat Sakimura reporter

   • changed status to invalid

   Ok. It was in the security considerations already so I will mark this as invalid.

   • 2022-08-03T14:40:22+00:00
5. 

   Nat Sakimura reporter

   • changed component to Part 2: Advanced

   • 2022-12-14T15:36:14+00:00
6. 

   Nat Sakimura reporter

   • changed component to FAPI 1 – Part 2: Advanced

   • 2022-12-14T15:36:47+00:00
7. 

   Nat Sakimura reporter

   • changed component to FAPI 1: Advanced

   • 2022-12-14T15:38:57+00:00
8. Log in to comment