6819_4_4_1_1

Eavesdropping or Leaking Authorization 'codes'

An attacker could try to eavesdrop transmission of the authorization 'code' between the authorization server and client. Furthermore, authorization 'codes' are passed via the browser, which may unintentionally leak those codes to untrusted web sites and attackers in different ways.

OAuth 2.0 Threat Model and Security Considerations (RFC6819, section 4.4.1.1)

Mitigations

This threat is considered fully mitigated if all the test cases from the following test set succeed.

Back to the threat overview