Current OAuth 1.0 spec - how does it address the session fixation attack?

Question

I've implemented an OAuth 1.0 provider following this specification, which should be the latest. The specification was amended to address the session fixation attack that was identified in 2009. The thing is, short of having to diff the two specifications I am unsure as to what measures were added/changed in the spec in response to the issue.

Since I implemented the "right" spec I am having a hard time explaining to stakeholders what measures I have taken to ameliorate the risks.

Anyone care to shed some light on the issue for me?

Answer 1

1.0a addresses a very specific attack described here:

http://hueniverse.com/2009/04/explaining-the-oauth-session-fixation-attack/

Answer 2

1. The oauth_callback parameter is now required in the request token generation step. The oauth_callback_accepted response parameter indicated OAuth 1.0a is being used.
2. The oauth_verifier parameter is generated by the service provider during the authentication/consent phase.
3. The oauth_verifier must be sent at the access token generation step.

See http://wiki.oauth.net/w/page/12238555/Signed%20Callback%20URLs for more details.