Leaked: The 'secret OAuth app keys' to Twitter's VIP lounge Twitter's private OAuth login keys, used by the website's official applications to get preferential treatment from the micro-blogging site, have apparently been leaked. The secret credentials could now allow any software to masquerade as an approved Twitter client. A set of key pairs uploaded to Github are supposedly used by …
Sigh. Giving access to the keys, to the people that you want to tell how to live their computer life, in any form - no matter how encrypted, obscured, or otherwise, is a sure-fire way to defeat those mechanisms in the long run.
DRM is the longest running and most prominent example, but hidden authorisation keys in apps? Please, I thought we'd moved on from the early MSN beta's.
As soon as you have to give people that information for them to connect, it's in the public domain. If that information gives them access to something you didn't want, that access is in the public domain. Might take a while to find it, but it will be found. CSS, AACS, Securom, etc. - whatever you do along these lines will not last long.
If Twitter don't already realise that, it makes you wonder how they know enough to do business in IT at all.
Giving "keys" to "trusted partners" sounds very much like delegating your security.
To be really secure, you'd need to vet each app on a case-by-case basis, and assign it a unique hash, so no one else could impersonate it.
Only that would cost you *real* money. Which your users just won't pay.
So we get what we deserve.
Hopefully HMG are learning from this, and deciding not to have "trusted partners" ....
I'd understood that "non-official" apps were limited in the number of users they could have..
" the folks at Twitter introduced new API restrictions that made it so third-party Twitter clients could only get 100,000 “tokens,” which would be unique user activations. The idea was to drive more people to use Twitter on the web or Twitter’s own official apps."
Quote from http://phandroid.com/2013/02/26/falcon-pro-price-twitter/
AC 17:24's - OAuth Article: "The web does not need yet another security framework. It needs simple, well-defined, and narrowly suited protocols that will lead to improved security and increased interoperability. OAuth 2.0 fails to accomplish anything meaningful over the protocol it seeks to replace."
Cross site scripting attacks yet again in another post today .... Last week it was all about security cert deficiencies.... Now its OAuth ...
It boggles the mind how these all get exploited so easily. IMHO the constant mindset of change in the Web is killing code predictability and testing. Once people get comfortable with writing code for different servers and browsers and different versions of browsers the whole playing field changes again. Even when coding standards work reliably for cross-compatibility there's always bugs, and it takes painstaking prototyping to weed these out, until yet again the standards and versions change and we start all over again.
So over time more and more glue has been added to the web. All of this has led to a perfectly wonderful multi-tier multi-vendor Swiss cheese. I relish the days when you could just write an app and be confident it would work as expected without dealing with complex security holes.
If we only had a simple toolkit that truly worked across different devices, OS's, and all browsers... We need to go back to something simple. Something that is decidable, something that can be predicted easily. Otherwise security (never mind simple UI) is going to become more and more problematic just to provide simple email or basic social-networking services.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
