DISQUS

louisgray.com: louisgray.com: Twitter's OAuth Target Slipping Amid Increased Security Pressures

  • JanSimpson · 11 months ago
    Nice post - As a new twitter - phishing happens to every site - so no foul there - the difficulty I see in this posting is two fold:

    1. Twitter is such a sensational site and business plan - that most thought it would fail and wouldn't be as popular as it is - so there are those that want to see it fail in order for them to "be right"

    2. It is a real-time site which no other site has been able to accomplish - so phishing hits it harder than any other site - my take is that since it is a real time site - phishing actually has a greater impact for those twitters not to open mail from people they don't know or they shouldn't click on links they know nothing about . In essence, it teaches people in real-time, very quickly the positive and negative lessons - so the phishers will no longer be effective on this site....next! Bitch about something else - people twitter is good

    'nuff said.
  • ChangeForge | Ken Stewart · 11 months ago
    This issue of passwords is not an uncommon issue. I support many line of business applications that have moved to a web enabled platforms to improve customer applications. As many are built on COM, .Net, or other Microsoft platforms, it was a natural extension to build out of IIS.

    While IIS has improved it's overall performance, many of the configuration scripts hosted on servers hold both user name and passwords to the secure database - where A LOT of customer information resides.

    While it is harder to penetrate this type of setup, properly executed code can in fact expose this. What saves the applications for the most part is that they are typically very niche and as such have a very low profile user community.

    With Twitter becoming more popular, they have discovered that many of their lesser-liked architectural issues become very apparent to the user community at large - just like Microsoft experiences and Apple is beginning to feel.

    The bottom line of this article is well taken, though. Users having to plug in their passwords is laughable, but a great work around for development companies on a shoestring budget.

    Who knows, but your point about being a great time to talk about security is true... in fact - EVERY time is a great time to circle back around and ensure you are doing a little house cleaning.
  • Dave Winer · 11 months ago
    Kevin, exactly the same can be done using domains w/o the complexity for apps.
  • Jeethu Rao · 11 months ago
    I don't use the Amazon iPhone app, but Alex's argument doesn't hold water. The app is distributed by Amazon, it isn't a 3rd party app, I don't see anything wrong in it asking for the password from within the app. Of course it'd be a real wtf is the app sends the username & passwords unencrypted over the internet, which seems unlikely.
  • Jesse Stay · 11 months ago
    Jeethu that's a great point. I'm not sure what he's saying there - you should respond on the dev list. Alex's entire argument doesn't make sense, and I have yet to see anyone propose a solution that doesn't make more sense than OAuth.
  • Fred Brunel · 11 months ago
    Twitter should adopt something like the Friendfeed's remote key as a short-term solution. Of couse, it's not as complete as OAuth, but it's simple enough to implement and does the job.
  • Jesse Stay · 11 months ago
    Exactly, Fred. I have an unreleased API for one of my apps, and it took me only 2 hours to give users a way to authenticate. And if they abuse the system (aka phishing), it takes one database query and their entire app is shut down.
  • Mason Lee · 11 months ago
    How would OAuth APIs protect against today's phishing scam? This is complete red herring.

    But regarding the quote from Alex-- is there more context to it? Clearly there's a significant security difference between the Amazon iPhone app storing the Amazon password locally on the phone and the many third-party twitter services storing users' Twitter password in their databases. Surely Twitter understands the issue and the need for OAuth despite this quote?
  • Louis Gray · 11 months ago
    I believe the only person who can interpret Alex's comments perfectly is Alex. It's good to see they are looking at OAuth (finally) and sounds like the release is coming, but there have clearly been a series of delays after the promised date windows got missed.

    It is a red herring in terms of saying the phishing issue isn't 100% linked to OAuth as a solution, but it's got people thinking again about Twitter and security in general.
  • Jesse Stay · 11 months ago
    Mason, I don't think Louis said OAuth would protect against it. However I do. OAuth provides a mechanism for providers to shut off the developers using it. With OAuth, and a manual approval process on apps (similar to how Facebook does), it wouldn't be hard for Twitter to track down the violating developer sending out these dms, and shut down their access to the API. OAuth provides a single point to kill the offender. Without it you're stuck chasing IPs.
  • Mason Lee · 11 months ago
    @Jessestay Neat! Except in this case, isn't the attack viral rather than app-based? Get one person's password, DM to phish all their friends' passwords, recurse. Would you suggest that Twitter abandon passwords all together?

    @Louis Gray Well, anything to get people talking about security, I suppose. I care about this stuff, too, so liked the post. Before Twitter recently enabled SSL apis, I used to frequently answer "What are you doing?" with "Sending my twitter password in base-64 encoded plaintext!" :)
  • Jesse Stay · 11 months ago
    Mason, the users aren't the ones sending the DMs. Something else is, on
    behalf of the users. That would make it an app, not user-propogated. The
    only thing the users are doing is logging into the site, giving the app
    their passwords to further spread the worm. The app is the thing doing the
    spreading though. It's doing so via the API, which currently Twitter has
    little control over.
  • Mitch · 11 months ago
    Great post - well documented and poignant.

    This Alex person is really showing his/her true qualities with that last quote. I would imagine that person is probably under a lot of pressure.
  • Rahsheen · 11 months ago
    Honestly, I have no clue what OAuth is and I don't really care. What I DO know is that I use many applications across the web. Most of these have an API in place so that they can interface with 3rd-party apps.

    As popular as Twitter is, it seems to be the only app out of these that requires me to tell 3rd party apps my password. I don't even have a secondary password or API key. I'm sure these guys are under pressure, but from a user standpoint, this just doesn't make sense.
  • jeneane · 11 months ago
    so.... no phone then?
  • Charlie Anzman · 11 months ago
    It was Twitter's simplicity, a large infusion of cash to make it stable, and then the hyper multi-media play (CNN, etc.) that increased activity on the service many called 'dead' last year at this time. There are lessons to be learned here. Once a product reaches a very high level of users, there will always be security concerns along the way
  • Dave Winer · 11 months ago
    OAuth is over-complicated. You could do the same thing by validating specific domains to use your existing credentials. Twitter already does this when throttling apps to 100 requests per hour per IP address. Only realized this today when I got throttled.
  • Kevin Marks · 11 months ago
    OAuth is designed to let you choose what permissions you give to which domains, so you need per-user, per-domain tokens. It's also designed to be revocable
  • zafarali · 10 months ago
    any links on where you found it?
  • kureng · 2 months ago
    i hate giving twitter password to any other sites or apps, so to track which twitter apps using oauth i created http://twitoauth.com which shows any twitter apps that provide login using oauth