DISQUS

louisgray.com: louisgray.com: Hey Twitter, It's Not Just a Worm, It's an App

  • Louis Gray · 11 months ago
  • robdiana · 11 months ago
    One of the big benefits of OAuth is that the user can say that an application only gets read access to the account. So, if the API and OAuth are done correctly, you can specifiy that a 3rd party application can only read your twitter stream, not send messages on your behalf. As you stated, it does not fix everything, but the security of OAuth definitely makes it harder for someone to completely take over your account.
  • GeekMommy · 11 months ago
    OAuth would help - but what will kill things like this is when they find out that it's not profitable... Twitter isn't a great place for the "follow this link!!" stuff. :)
  • Jesse Stay · 11 months ago
    Lucretia, I think there are definitely enough users to encourage it. The worm itself wouldn't have spread if no one clicked the link, so I think there are plenty of people that would make it worth the spammers' while. I don't expect it to go away, unless Twitter takes measures to make it go away.
  • GeekMommy · 11 months ago
    You have a point - now that we're on version 5 of the phishing scam, I have to admit that I have some very gullible or very trusting folks following me.
    :\
    You'd think we'd all have learned by now - don't trust strange links on the internet.
  • AnneHaynes · 11 months ago
    I knew it was just a matter of time before twitter would be hacked. I had no idea that twitter was so open with their house keys or in this case my username and password. Hopefully this will be a good lesson for developers everywhere to place more focus on secuirty. Great article! Thanks!
  • Stiennon · 11 months ago
    Agree that OAuth raises the bar, but only slightly. First, you don't need no stinkin API to get into the original application, in this case Twitter. You call it screen scraping, but running a script against the site is easy to do using the credentials stolen from users. You can run the attack manually as most post phishing attacks against banks are and just as the Twitter defacements of this morning.

    OAuth is not the way. Strong federated identity with one time password tokens is what it is going to take. In the mean time Twitter has to improve all of their security. Evidently they had an easily discoverable UI for resetting passwords that was hacked. Sheesh.

    -Stiennon
  • Jesse Stay · 11 months ago
    Stiennon, I agree a screen scrape wouldn't be very hard, but how are they going to obtain the credentials in the first place? They couldn't write a script to make users spread it for them, at least not as fast as they are with this worm. I argue that method would be much harder and take a longer time to do on a site like Twitter. I don't think the worm we're seeing today would still exist if OAuth were in place. And I have yet to see Alex suggest Federated Identity or one time passwords as a solution - his only response is, "OAuth doesn't work".
  • Tom · 11 months ago
    I have to agree with Stiennon on this one. OAuth needs to be implemented but only solves third-party interactions with your account. OAuth does nothing to prevent traditional phishing attacks where you as a human mistakenly give your credentials to a fake site. Just like with any social media service (Facebook/Myspace) I can manually log in with stolen credentials and DM/spam friends and contacts. OAuth is only good when a third-party application is using your credentials. Just like how FriendFeed uses the remote key solution for third-party authentications to FriendFeed. Having stolen FriendFeed credentials I can still logon to FriendFeed as the victim. The remote key doesn't stop this type of attack. Twitter needs two-factor token based authentication and OAuth for a complete solution.
  • Jesse Stay · 11 months ago
    Where this particular instance was a third-party attack however, you have to admit OAuth would have fixed this phishing attack. Twitter's repeated mention that it wouldn't have makes no sense.