Problems with Twitter's OAuth Authentication System
Interesting case study.
Interesting case study.
Ben Brockert • September 10, 2010 9:19 AM
“He talks too much, he’s entertaining, and his points are basically correct.” One of the lamest rebuttals I’ve seen.
Mace Moneta • September 10, 2010 9:31 AM
I just recently converted a small script to use oauth. In practice, it’s little more than a secondary, application specific, userid and password.
The only advantage that I could see is that when you are compromised you can identify the application that was the entry point of the attack.
The keys, whether internal to the application or external, still need to be accessible to the application. There’s no more security than a userid and password – it’s just considerably more cumbersome to use in practice.
This is the step-by-step guide I used by the way, if you want to see the process:
http://jmillerinc.com/2010/05/31/twitter-from-the-command-line-in-python-using-oauth/
Oauth just appears to be an obfuscation of an otherwise simple userid, password, and application ID.
Smail • September 10, 2010 10:02 AM
Interesting that he mentions customers switching away from compromised clients. Something similar has been happening over the last two weeks as many people found their twitter apps of choice hadn’t been updated to deal with oauth. Lots of complaining that “my twitter app stopped working” and people quickly downloading another to use in its place.
Pete • September 13, 2010 5:42 AM
The attempt to use a “device key” in software seems to be the problem; it’s fundamentally a bad idea and doesn’t seem to gain them anything.
John • September 13, 2010 12:34 PM
Not only did they mess up the implementation, they left a back-door… If you want to continue using basic auth in your twitter feeds, simply add “?source=twitterandroid” to the feed url. See http://blog.nelhage.com/2010/09/dear-twitter/ for details.
Subscribe to comments on this entry
Sidebar photo of Bruce Schneier by Joe MacInnis.
Luke Morton • September 10, 2010 8:28 AM
A rebuttal from Eran Hammer-Lahav (an OAuth contributor):
http://hueniverse.com/2010/09/all-this-twitter-oauth-security-nonsense/