This is not how you do OAuth!


(Feilamya) #1

The new EVE launcher opens a non-resizable popup window with no address bar. This is terrible practice and part of the cancer which makes OAuth insecure and susceptible to phishing.

  1. It is not possible to verify the URL of the login page
  2. It is not possible to verify the TLS certificate of the login page
  3. It is impossible to tell if the login page was opened by the EVE launcher or some phishing site.
  4. It is impossible to tell that the login page is a browser window or a popup opened by some malware.

Whoever designed this should take some time reading the RFCs:
https://datatracker.ietf.org/doc/rfc8252/ (especially section 8)
https://tools.ietf.org/html/rfc6819

To see a good example, look at how pyfa and most other third-party EVE apps do login. How could you possibly do it so wrong with your own client?

Ironically, when you click “Manage API permission” in the EVE launcher, the same app, it is done right! WTF?!


(Rivr Luzade) #2

Is this something in the new launcher version that it wants me to install or what exactly are you referring to?


(Feilamya) #3

The “Log in with EVE” button that opens the login website in a (what seems to be) native window with an embedded browser.


(Dynast) #4

@Feilamya agreed. It is disconcerting to see such an incompetent implementation, this is the sort of thing which will get a whole lot of accounts stolen six months down the road when people are used to these unverifiable popups and think they’re perfectly normal.


(system) #5

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.