This is not how you do OAuth!

Feilamya · September 10, 2018, 5:37pm

The new EVE launcher opens a non-resizable popup window with no address bar. This is terrible practice and part of the cancer which makes OAuth insecure and susceptible to phishing.

It is not possible to verify the URL of the login page
It is not possible to verify the TLS certificate of the login page
It is impossible to tell if the login page was opened by the EVE launcher or some phishing site.
It is impossible to tell that the login page is a browser window or a popup opened by some malware.

Whoever designed this should take some time reading the RFCs:
https://datatracker.ietf.org/doc/rfc8252/ (especially section 8)
https://tools.ietf.org/html/rfc6819

To see a good example, look at how pyfa and most other third-party EVE apps do login. How could you possibly do it so wrong with your own client?

Ironically, when you click “Manage API permission” in the EVE launcher, the same app, it is done right! WTF?!

Rivr_Luzade · September 10, 2018, 6:20pm

Is this something in the new launcher version that it wants me to install or what exactly are you referring to?

Feilamya · September 10, 2018, 6:22pm

The “Log in with EVE” button that opens the login website in a (what seems to be) native window with an embedded browser.

Dynast · September 11, 2018, 2:21am

@Feilamya agreed. It is disconcerting to see such an incompetent implementation, this is the sort of thing which will get a whole lot of accounts stolen six months down the road when people are used to these unverifiable popups and think they’re perfectly normal.

system · December 10, 2018, 2:21am

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.