Twitter's private OAuth login keys, used by the website's official applications to get preferential treatment from the micro-blogging site, have apparently been leaked. The secret credentials could now allow any software to masquerade as an approved Twitter client. A set of key pairs uploaded to Github are supposedly used by …
The Internet does seem to sort itself out
The Internetwork is alive and always seems to seek equilibrium.
Sigh. Giving access to the keys, to the people that you want to tell how to live their computer life, in any form - no matter how encrypted, obscured, or otherwise, is a sure-fire way to defeat those mechanisms in the long run.
DRM is the longest running and most prominent example, but hidden authorisation keys in apps? Please, I thought we'd moved on from the early MSN beta's.
As soon as you have to give people that information for them to connect, it's in the public domain. If that information gives them access to something you didn't want, that access is in the public domain. Might take a while to find it, but it will be found. CSS, AACS, Securom, etc. - whatever you do along these lines will not last long.
If Twitter don't already realise that, it makes you wonder how they know enough to do business in IT at all.
Going round in circles?
Surely, even if they revoke and issue new keys, now the technique for obtaining them is known, it's trivial for the new keys to be published (a la the PS3 firmware hacks)
Security on the cheap ?
Giving "keys" to "trusted partners" sounds very much like delegating your security.
To be really secure, you'd need to vet each app on a case-by-case basis, and assign it a unique hash, so no one else could impersonate it.
Only that would cost you *real* money. Which your users just won't pay.
So we get what we deserve.
Hopefully HMG are learning from this, and deciding not to have "trusted partners" ....
Maybe if they hadn't pulled TweetDeck no one would be annoyed enough to want to patch the Twitter keys into it...
I'd understood that "non-official" apps were limited in the number of users they could have..
" the folks at Twitter introduced new API restrictions that made it so third-party Twitter clients could only get 100,000 “tokens,” which would be unique user activations. The idea was to drive more people to use Twitter on the web or Twitter’s own official apps."
Quote from http://phandroid.com/2013/02/26/falcon-pro-price-twitter/
Its not the cheapiness
I think that twitter sees its mission as removing doors between the diarrhetic and the kharzi.
Here is something interesting:
Yep OAuth 2 sucks big time. Last time I checked, Twitter was still on 1.0. I hope that whatever else they do, they remain on that.
More BAND-AIDS...? The future is Christmas every day for hackers!
AC 17:24's - OAuth Article: "The web does not need yet another security framework. It needs simple, well-defined, and narrowly suited protocols that will lead to improved security and increased interoperability. OAuth 2.0 fails to accomplish anything meaningful over the protocol it seeks to replace."
Cross site scripting attacks yet again in another post today .... Last week it was all about security cert deficiencies.... Now its OAuth ...
It boggles the mind how these all get exploited so easily. IMHO the constant mindset of change in the Web is killing code predictability and testing. Once people get comfortable with writing code for different servers and browsers and different versions of browsers the whole playing field changes again. Even when coding standards work reliably for cross-compatibility there's always bugs, and it takes painstaking prototyping to weed these out, until yet again the standards and versions change and we start all over again.
So over time more and more glue has been added to the web. All of this has led to a perfectly wonderful multi-tier multi-vendor Swiss cheese. I relish the days when you could just write an app and be confident it would work as expected without dealing with complex security holes.
If we only had a simple toolkit that truly worked across different devices, OS's, and all browsers... We need to go back to something simple. Something that is decidable, something that can be predicted easily. Otherwise security (never mind simple UI) is going to become more and more problematic just to provide simple email or basic social-networking services.
Twitter answer? This is a good time as any to kill the free ride.
And the El Reg hacks missed Twitter's answer the very same day? Read and weep:
So another good reason to avoid twitter or an explanation for Steph Fry's more novel comments?