Schneier on Security
A blog covering security and security technology.
« Orange Balls as an Anti-Robbery Device |
| The Onion on National Security »
September 10, 2010
Problems with Twitter's OAuth Authentication System
Interesting case study.
EDITED TO ADD (9/14): A rebuttal and more info.
Posted on September 10, 2010 at 6:22 AM
• 6 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
"He talks too much, he's entertaining, and his points are basically correct." One of the lamest rebuttals I've seen.
I just recently converted a small script to use oauth. In practice, it's little more than a secondary, application specific, userid and password.
The only advantage that I could see is that when you are compromised you can identify the application that was the entry point of the attack.
The keys, whether internal to the application or external, still need to be accessible to the application. There's no more security than a userid and password - it's just considerably more cumbersome to use in practice.
This is the step-by-step guide I used by the way, if you want to see the process:
Oauth just appears to be an obfuscation of an otherwise simple userid, password, and application ID.
Interesting that he mentions customers switching away from compromised clients. Something similar has been happening over the last two weeks as many people found their twitter apps of choice hadn't been updated to deal with oauth. Lots of complaining that "my twitter app stopped working" and people quickly downloading another to use in its place.
The attempt to use a "device key" in software seems to be the problem; it's fundamentally a bad idea and doesn't seem to gain them anything.
Not only did they mess up the implementation, they left a back-door... If you want to continue using basic auth in your twitter feeds, simply add "?source=twitterandroid" to the feed url. See http://blog.nelhage.com/2010/09/dear-twitter/ for details.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.