How to Leak a 100-Million-Node Social Graph in Just One Week

Explore the vulnerabilities in OAuth 2.0 implementation for Online Social Networks (OSNs) in this 31-minute Black Hat conference talk. Discover how application impersonation can lead to massive user data leakage, even when best practices are followed. Learn about a proof-of-concept experiment that demonstrates the ability to collect a 100-million-user social graph in just one week for only $150 USD. Understand the root causes of these security issues, including the implicit-authorization-grant flow and bearer-token usage. Examine the consequences of privilege escalation and the urgent need for industrial practitioners to review their API designs. Gain insights into potential solutions, such as providing opt-out mechanisms for certain OAuth features and considering application protection in future protocol designs. Delve into topics like the Implicit Flow, Token Types, and strategies for preventing application impersonation.

Introduction
Whats the problem
Basic protocol
Key idea
Consequences
Earth
Conclusion
Implicit Flow
Token Type
Feedback
The Problem
Factors
App Impersonation Out
How to Fix
Protection
Refresh Token
App Impersonation Prevention
Programmers are lazy
Developers use the right way
Facebook
App Secret