gitment icon indicating copy to clipboard operation
gitment copied to clipboard

Published 20 hours ago verified publisher icon imsun

Oauth2 Client_secret on frontend is always a security issue

Open kadary opened this issue 6 years ago • 3 comments

Hello,

You asked to fill an issue if we think the Oauth2 app *client_secret is security risk in frontend.

Just to let you know that your client secret can be use to manipulate other GitHub resources using other mechanism than Oauth2 authorization_code flow. They can be use in GitHub authorization APIs to gain informations about your end-user for example (https://developer.github.com/v3/oauth_authorizations/).

kadary avatar Jan 28 '19 06:01 kadary

Hello @kadary,

I've been thinking about the same when reading about client_secret to be used on the front-end. After reading your ticket about it the thing that made it even more funnier that we even think alike with our profile pictures. :laughing:

szabolcs-szilagyi avatar Nov 08 '20 20:11 szabolcs-szilagyi

Well, when I saw this, I jumped out from my seat. I expected some kind of hashing or something to hide it.

So, I've moved to https://utteranc.es/, which does not have this security issue.

GerkinDev avatar Feb 01 '21 21:02 GerkinDev

https://advance-esthetic.us/rf-facial-machines

sariabiha avatar Feb 11 '22 11:02 sariabiha