louisgray.com - Latest Comments in louisgray.com: Twitter's OAuth Target Slipping Amid Increased Security Pressures

Re: louisgray.com: Twitter's OAuth Target Slipping Amid Increased Security Pressures

kureng — Fri, 25 Sep 2009 02:50:46 -0000

i hate giving twitter password to any other sites or apps, so to track which twitter apps using oauth i created http://twitoauth.com which shows any twitter apps that provide login using oauth

Re: louisgray.com: Twitter's OAuth Target Slipping Amid Increased Security Pressures

zafarali — Thu, 12 Feb 2009 05:33:05 -0000

any links on where you found it?

Re: louisgray.com: Twitter's OAuth Target Slipping Amid Increased Security Pressures

JanSimpson — Mon, 05 Jan 2009 22:32:28 -0000

Nice post - As a new twitter - phishing happens to every site - so no foul there - the difficulty I see in this posting is two fold:

1. Twitter is such a sensational site and business plan - that most thought it would fail and wouldn't be as popular as it is - so there are those that want to see it fail in order for them to "be right"

2. It is a real-time site which no other site has been able to accomplish - so phishing hits it harder than any other site - my take is that since it is a real time site - phishing actually has a greater impact for those twitters not to open mail from people they don't know or they shouldn't click on links they know nothing about . In essence, it teaches people in real-time, very quickly the positive and negative lessons - so the phishers will no longer be effective on this site....next! Bitch about something else - people twitter is good

'nuff said.

Re: louisgray.com: Twitter's OAuth Target Slipping Amid Increased Security Pressures

ChangeForge | Ken Stewart — Mon, 05 Jan 2009 14:42:35 -0000

This issue of passwords is not an uncommon issue. I support many line of business applications that have moved to a web enabled platforms to improve customer applications. As many are built on COM, .Net, or other Microsoft platforms, it was a natural extension to build out of IIS.

While IIS has improved it's overall performance, many of the configuration scripts hosted on servers hold both user name and passwords to the secure database - where A LOT of customer information resides.

While it is harder to penetrate this type of setup, properly executed code can in fact expose this. What saves the applications for the most part is that they are typically very niche and as such have a very low profile user community.

With Twitter becoming more popular, they have discovered that many of their lesser-liked architectural issues become very apparent to the user community at large - just like Microsoft experiences and Apple is beginning to feel.

The bottom line of this article is well taken, though. Users having to plug in their passwords is laughable, but a great work around for development companies on a shoestring budget.

Who knows, but your point about being a great time to talk about security is true... in fact - EVERY time is a great time to circle back around and ensure you are doing a little house cleaning.

Re: louisgray.com: Twitter's OAuth Target Slipping Amid Increased Security Pressures

Mason Lee — Mon, 05 Jan 2009 06:53:19 -0000

@Jessestay Neat! Except in this case, isn't the attack viral rather than app-based? Get one person's password, DM to phish all their friends' passwords, recurse. Would you suggest that Twitter abandon passwords all together?

@Louis Gray Well, anything to get people talking about security, I suppose. I care about this stuff, too, so liked the post. Before Twitter recently enabled SSL apis, I used to frequently answer "What are you doing?" with "Sending my twitter password in base-64 encoded plaintext!" :)

Re: louisgray.com: Twitter's OAuth Target Slipping Amid Increased Security Pressures

Jesse Stay — Mon, 05 Jan 2009 06:17:13 -0000

Mason, the users aren't the ones sending the DMs. Something else is, on
behalf of the users. That would make it an app, not user-propogated. The
only thing the users are doing is logging into the site, giving the app
their passwords to further spread the worm. The app is the thing doing the
spreading though. It's doing so via the API, which currently Twitter has
little control over.

Re: louisgray.com: Twitter's OAuth Target Slipping Amid Increased Security Pressures

Dave Winer — Mon, 05 Jan 2009 06:04:00 -0000

Kevin, exactly the same can be done using domains w/o the complexity for apps.

Re: louisgray.com: Twitter's OAuth Target Slipping Amid Increased Security Pressures

Kevin Marks — Mon, 05 Jan 2009 06:00:00 -0000

OAuth is designed to let you choose what permissions you give to which domains, so you need per-user, per-domain tokens. It's also designed to be revocable

Re: louisgray.com: Twitter's OAuth Target Slipping Amid Increased Security Pressures

Dave Winer — Mon, 05 Jan 2009 05:57:00 -0000

OAuth is over-complicated. You could do the same thing by validating specific domains to use your existing credentials. Twitter already does this when throttling apps to 100 requests per hour per IP address. Only realized this today when I got throttled.

Re: louisgray.com: Twitter's OAuth Target Slipping Amid Increased Security Pressures

Charlie Anzman — Mon, 05 Jan 2009 04:14:00 -0000

It was Twitter's simplicity, a large infusion of cash to make it stable, and then the hyper multi-media play (CNN, etc.) that increased activity on the service many called 'dead' last year at this time. There are lessons to be learned here. Once a product reaches a very high level of users, there will always be security concerns along the way

Re: louisgray.com: Twitter's OAuth Target Slipping Amid Increased Security Pressures

jeneane — Mon, 05 Jan 2009 02:37:00 -0000

so.... no phone then?

Re: louisgray.com: Twitter's OAuth Target Slipping Amid Increased Security Pressures

Rahsheen — Mon, 05 Jan 2009 02:34:34 -0000

Honestly, I have no clue what OAuth is and I don't really care. What I DO know is that I use many applications across the web. Most of these have an API in place so that they can interface with 3rd-party apps.

As popular as Twitter is, it seems to be the only app out of these that requires me to tell 3rd party apps my password. I don't even have a secondary password or API key. I'm sure these guys are under pressure, but from a user standpoint, this just doesn't make sense.

Re: louisgray.com: Twitter's OAuth Target Slipping Amid Increased Security Pressures

Mitch — Mon, 05 Jan 2009 02:24:11 -0000

Great post - well documented and poignant.

This Alex person is really showing his/her true qualities with that last quote. I would imagine that person is probably under a lot of pressure.

Re: louisgray.com: Twitter's OAuth Target Slipping Amid Increased Security Pressures

Jesse Stay — Mon, 05 Jan 2009 02:17:46 -0000

Mason, I don't think Louis said OAuth would protect against it. However I do. OAuth provides a mechanism for providers to shut off the developers using it. With OAuth, and a manual approval process on apps (similar to how Facebook does), it wouldn't be hard for Twitter to track down the violating developer sending out these dms, and shut down their access to the API. OAuth provides a single point to kill the offender. Without it you're stuck chasing IPs.

Re: louisgray.com: Twitter's OAuth Target Slipping Amid Increased Security Pressures

Louis Gray — Mon, 05 Jan 2009 02:15:23 -0000

I believe the only person who can interpret Alex's comments perfectly is Alex. It's good to see they are looking at OAuth (finally) and sounds like the release is coming, but there have clearly been a series of delays after the promised date windows got missed.

It is a red herring in terms of saying the phishing issue isn't 100% linked to OAuth as a solution, but it's got people thinking again about Twitter and security in general.

Re: louisgray.com: Twitter's OAuth Target Slipping Amid Increased Security Pressures

Mason Lee — Mon, 05 Jan 2009 02:09:00 -0000

How would OAuth APIs protect against today's phishing scam? This is complete red herring.

But regarding the quote from Alex-- is there more context to it? Clearly there's a significant security difference between the Amazon iPhone app storing the Amazon password locally on the phone and the many third-party twitter services storing users' Twitter password in their databases. Surely Twitter understands the issue and the need for OAuth despite this quote?

Re: louisgray.com: Twitter's OAuth Target Slipping Amid Increased Security Pressures

Jesse Stay — Mon, 05 Jan 2009 00:32:23 -0000

Exactly, Fred. I have an unreleased API for one of my apps, and it took me only 2 hours to give users a way to authenticate. And if they abuse the system (aka phishing), it takes one database query and their entire app is shut down.

Re: louisgray.com: Twitter's OAuth Target Slipping Amid Increased Security Pressures

Fred Brunel — Mon, 05 Jan 2009 00:27:46 -0000

Twitter should adopt something like the Friendfeed's remote key as a short-term solution. Of couse, it's not as complete as OAuth, but it's simple enough to implement and does the job.

Re: louisgray.com: Twitter's OAuth Target Slipping Amid Increased Security Pressures

Jesse Stay — Sun, 04 Jan 2009 23:44:14 -0000

Jeethu that's a great point. I'm not sure what he's saying there - you should respond on the dev list. Alex's entire argument doesn't make sense, and I have yet to see anyone propose a solution that doesn't make more sense than OAuth.

Re: louisgray.com: Twitter's OAuth Target Slipping Amid Increased Security Pressures

Jeethu Rao — Sun, 04 Jan 2009 23:19:34 -0000

I don't use the Amazon iPhone app, but Alex's argument doesn't hold water. The app is distributed by Amazon, it isn't a 3rd party app, I don't see anything wrong in it asking for the password from within the app. Of course it'd be a real wtf is the app sends the username & passwords unencrypted over the internet, which seems unlikely.