As part of our ongoing security strengthening of the FreeAgent app and surrounding infrastructure, we are considering requiring that a predefined OAuth redirect URI be specified in your integration settings. This will limit the vulnerability of our API to phishing and/or MITM attacks.
e.g. If a malicious app intercepted the OAuth access request and rewrote the
redirect_uri parameter then an unsuspecting user may provide an authorisation token to an endpoint not controlled by the integration.
(not URL escaped for readability)
could be intercepted and rewritten to
If the user were to approve that integration then the user could potentially provide access to their FreeAgent data without realising.
We wanted to get a feel for how this change would impact our users before rolling the restriction out - how many of you have multiple OAuth callback endpoints per production app? Our thought was to not apply the restriction to your sandbox accounts to make testing easier - we’ve worked with third party APIs ourselves and we know the pain that it can cause.
Any changes we make would only apply for newly created integrations and/or when an integration is updated by its developer in order to maintain existing behaviour for current integrations.
If anyone has any thoughts on this, please do let us know as we’re planning on making this change sooner rather than later!
Software Engineer, FreeAgent.