App poked through Twitter hole, probed my privates - security bod Security researchers have outlined the danger that tweeters face if they "save time" by signing into third-party applications using a Twitter account. Developers can allow users to log into their applications using Twitter or Facebook using the OAuth authentication standard - which saves the user time as well as minimising the …
Isnt there always going to be an implementation problem with SSO solutions?
We are always reliant on the application developers being professional enough, competent and willing to properly implement the authorisation controls. If they dont (as it appears twitter didnt here) then SSO opens a wonderful attack vector.
This is the big issue with these FaceTwit type SSO services. The people providing it have no incentive to protect your privacy. In fact given that their business models pretty much fail if people do enforce their want for privacy its no surprise this kind of thing happens.
Try explaining that to joe-schmoe user who just thinks "ahahh one less password".
Stealing your wallet icon .... obviously right.
I just realised....all this time people had called me a skeptic, a naysayer, or just a negative-nancy about things like logging in using a Twitter or Facebook account - or effectively using any sort of system or product that wants you to log in or connect with an account from another place....
......it turns out that what to me was a blindingly obvious 'duh!' in that the only reason I could see for them to want me to sign in with a social network login was so they could access all of my data and post their own little threads and invites on my profile, and to my friends - is actually a newsworthy story. I genuinely thought everyone else assumed this was what it was for. It's like the Google toolbar, watching and sending off everything you do to Google's own little collected-data pond.
Wow, maybe people are dumber than I thought.
"Developers can allow users to log into their applications using Twitter or Facebook using the OAuth authentication standard - which saves the user time as well as minimising the number of account login credentials he or she needs to remember. But certain miscreants are abusing the security feature to implement workarounds which violate users' privacy."
Good! I hate it when people try to cut corners.
OAuth is problematic, especially 2.0. There is really nothing stopping me from asking you for your FB/Twitter/Dropbox credentials and storing them. At that point I can do the whole sign in, authorize, and obtain access token from my server without you ever knowing what permissions you just granted me. I can also get access to your account at any point until you change your password. Deauthorize the app and I just reauthorize myself.
I'm sorry there is something stopping me. I'm ethical and I take the ToS that I accepted seriously. There are a lot of people that would not worry about that if they could make a quick buck.
Obviously most tech savvy people are going to know that they should be on the Twitter page to login. Then you get people like my wife who won't do anything or call me in to see if it's legit. Then you get people like my brother in law who will just go ahead and log in (my sister banned him from her computer and I'm constantly pulling malware off of his computer). These are also the people who won't know how to check what permissions the app has or where to deauthorize it and will complain profusely when told to change their password.
That's called PHISHING, and actually OAuth prevents that precisely because OAuth does NOT ask for those credentials. If you are asking for credentials whilst PRETENDING to use OAuth, that's not OAuth's fault.
What you might be saying is that by creating an environment where people begin to blindly trust sites because they have "connect with FaceBook/Twitter/etc" options, and so stop thinking about whether or not they SHOULD be entering their credentials when asked to do so when using such services, then sure - that is a problem I think.
Add a "Connect with <service name>" button. When clicked, throw up a sign-on page that looks like it belongs to that service, with some text along the lines of "<Service> is not signed in. Sign in now to complete the authorisation process for <Phishing Application Name Here>".
Most people aren't going to stop and think whether or not they ARE currently signed in with the service, they will just go ahead and "Sign in" using this oh-so-trustworthy form.
But that doesn't need OAuth to work.
Twitter is more than what is available on public feeds. I don't post a lot of public tweets and my profile has no information on it at all, but I do frequently direct message companies' support Twitter accounts (since that results in the fastest response). Direct Messages are supposed to be secured so they frequently contain things like account numbers, phone numbers, addresses, etc. A hacker can grab all that info very easily if they access your Twitter account.
Also, many sites allow "sign in with Twitter". Getting the Twitter user name and password could allow hackers to automatically log into Facebook, Yahoo, Google, etc.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
