Password Phishing by Counterfeit Authorization Server

Auth makes no attempt to verify the authenticity of the authorization server. A hostile party could take advantage of this by intercepting the client's requests and returning misleading or otherwise incorrect responses. This could be achieved using DNS or Address Resolution Protocol (ARP) spoofing. Wide deployment of OAuth and similar protocols may cause users to become inured to the practice of being redirected to web sites where they are asked to enter their passwords. If users are not careful to verify the authenticity of these web sites before entering their credentials, it will be possible for attackers to exploit this practice to steal users' passwords.

OAuth 2.0 Threat Model and Security Considerations (RFC6819, section 4.2.1)


This threat is considered fully mitigated if all the test cases from the following test set succeed.

Back to the threat overview