Bruce Schneier

 

Blog

Crypto-Gram Newsletter

Books

Essays and Op Eds

News and Interviews

Audio and Video

Speaking Schedule

Password Safe

Cryptography

About Bruce Schneier

Contact Information

 

Schneier on Security

A blog covering security and security technology.

« Orange Balls as an Anti-Robbery Device | Main | The Onion on National Security »

September 10, 2010

Problems with Twitter's OAuth Authentication System

Interesting case study.

EDITED TO ADD (9/14): A rebuttal and more info.

Posted on September 10, 2010 at 6:22 AM6 Comments

To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.

Comments

Luke MortonSeptember 10, 2010 8:28 AM

A rebuttal from Eran Hammer-Lahav (an OAuth contributor):

http://hueniverse.com/2010/09/...

Ben BrockertSeptember 10, 2010 9:19 AM

"He talks too much, he's entertaining, and his points are basically correct." One of the lamest rebuttals I've seen.

Mace MonetaSeptember 10, 2010 9:31 AM

I just recently converted a small script to use oauth. In practice, it's little more than a secondary, application specific, userid and password.

The only advantage that I could see is that when you are compromised you can identify the application that was the entry point of the attack.

The keys, whether internal to the application or external, still need to be accessible to the application. There's no more security than a userid and password - it's just considerably more cumbersome to use in practice.

This is the step-by-step guide I used by the way, if you want to see the process:

http://jmillerinc.com/2010/05/31/...

Oauth just appears to be an obfuscation of an otherwise simple userid, password, and application ID.

SmailSeptember 10, 2010 10:02 AM

Interesting that he mentions customers switching away from compromised clients. Something similar has been happening over the last two weeks as many people found their twitter apps of choice hadn't been updated to deal with oauth. Lots of complaining that "my twitter app stopped working" and people quickly downloading another to use in its place.

PeteSeptember 13, 2010 5:42 AM

The attempt to use a "device key" in software seems to be the problem; it's fundamentally a bad idea and doesn't seem to gain them anything.

JohnSeptember 13, 2010 12:34 PM

Not only did they mess up the implementation, they left a back-door... If you want to continue using basic auth in your twitter feeds, simply add "?source=twitterandroid" to the feed url. See http://blog.nelhage.com/2010/09/dear-twitter/ for details.

Post a comment




E-mail is optional and will not be displayed on the site.


Remember Me?


Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Powered by Movable Type. Photo at top by Geoffrey Stone.

Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.

 
Bruce Schneier
Subscribe
Atom Feed Facebook Twitter E-Mail Newsletter (Crypto-Gram)
Subscribe via Kindle
Blog Menu

Search

Powered by DuckDuckGo


blog only
essays and op eds only
whole site

Blog Home Page
100 Latest Comments

Archives by Date

2013 J F M A M
2012 J F M A M J J A S O N D
2011 J F M A M J J A S O N D
2010 J F M A M J J A S O N D
2009 J F M A M J J A S O N D
2008 J F M A M J J A S O N D
2007 J F M A M J J A S O N D
2006 J F M A M J J A S O N D
2005 J F M A M J J A S O N D
2004 J F M A M J J A S O N D

Tags

more tags

Support Bloggers' Rights!
Defend Privacy--Support Epic
Latest Book
Liars & Outliers
more books by Bruce Schneier