• pixxelkick@lemmy.world
    link
    fedilink
    English
    arrow-up
    12
    ·
    8 months ago

    Note that ChatGPT indeed implemented a state parameter, but their state was not a random value, and therefore could be guessed by the attacker.

    Bruh wut, rookie mistake.

    State is supposed to be mathematically random and should expire fairly quickly.

    I always have used a random guid that expires after 10-15 minutes for state, if they try and complete the oauth with an expired state value I reject ad ask them to try again.

    Also yeah the redirect uri trick is common, that’s why oath apis must always have a “whitelist urls” functionality. And not just domain, the whole url.

    That’s why when you make a Google api token you gotta specify what urls it’s valid for explicitly. That way any other different redirect uri gets rejected, to prevent an injection attack from a third party providing their own different redirect uri to a victim.

    Oath is pretty explicit about all these things in its spec. It really sucks people treat it as optional “not important” factors.

    It’s important. Do it. Always.