I have been pecking away at building an online service for the last year. I spent three months just getting the oath implementation functional (I couldn’t use an existing implementation). I still wasn’t satisfied

Then I read this. Twice

Win for me… I think I was actually vaguely aware of this and covered the risk. So I think I’m ok

1. I intentionally took measures that cover the described scenario
2. I don’t store anything that should be considered private

Maybe I’ll read it again just to be sure

OAuth 2.0 Hack Exposes 1 Billion Mobile Apps to Account Hijacking