homepage Welcome to WebmasterWorld Guest from
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Pubcon Platinum Sponsor 2014
Home / Forums Index / Social Media / Twitter
Forum Library, Charter, Moderators: not2easy & rumbas

Twitter Forum

Twitter's Change to OAuth Authentication Generates Security Debate

WebmasterWorld Senior Member tedster us a WebmasterWorld Top Contributor of All Time 10+ Year Member

Msg#: 4196878 posted 7:48 pm on Sep 5, 2010 (gmt 0)

Twitter recently stopped supporting its Basic authentication for third party applications (there are over 70,000 of them at this point) and now supports only the OAuth authentication method. This has kicked up a storm of controversy.

Ryan Paul at Ars Technica said in a recent article both that OAuth is flawed [arstechnica.com] and that Twitter's implementation is also poor, compounding the security concern. Paul's main focus is the set of security keys - a consumer key and consumer secret.

If the key is embedded in the application itself, it's possible for an unauthorized third party to extract it through disassembly or other similar means. It will then be possible for the unauthorized third party to build software that masquerades as the compromised application when it accesses the service.

Ben Adida, a Harvard University fellow and noted security consultant, countered Ryan Paul's criticism as an unwarranted bashing of Twitter's oAuth [benlog.com]. After debunking some of the major points, Adida writes:

The article makes some very good smaller points that Twitter (and other oAuth providers) should heed:
  • ...having more explicit error messages is a good idea
  • logging out is confusing...
  • giving users more cues for trusting certain apps is probably a good idea...

    These are all useful points. But they're small, and they do not warrant a big scary title.

  • I've been following Ben Adida's contributions to web technology for a long time - I'm not as familiar with Ryan Paul. That's just a disclaimer about me, and not intended as any negative aimed at Mr. Paul. That said, from my layman's point of view it does like Ryan Paul is being overly sensationalist for the sake of publicity rather than any real concern about user security.

    It will be interesting to see how this pans out.



    5+ Year Member

    Msg#: 4196878 posted 10:18 pm on Sep 5, 2010 (gmt 0)

    Either way, rewrite some of your apps and it'll be fine...


    WebmasterWorld Senior Member tedster us a WebmasterWorld Top Contributor of All Time 10+ Year Member

    Msg#: 4196878 posted 11:08 pm on Sep 5, 2010 (gmt 0)

    It does raise the watch level for OAuth as a potential attack vector, however. And there are an increasing number of places that use OAuth - it's not just Twitter.


    Msg#: 4196878 posted 9:12 am on Sep 6, 2010 (gmt 0)

    The other issue I have with people complaining about OAuth is that the most used alternative is actually giving your username and password to apps, a practice that never should have existed!

    Yes there may be issues with OAuth but compare it to other options and i know what I prefer


    WebmasterWorld Senior Member lammert us a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

    Msg#: 4196878 posted 6:13 am on Sep 7, 2010 (gmt 0)

    An interesting step, looking at the announcement one year ago [webmasterworld.com...] that Twitter would stop using OAuth until security issues were addressed. It seems they are more confident in OAuth authentication now.


    5+ Year Member

    Msg#: 4196878 posted 7:18 am on Sep 24, 2010 (gmt 0)

    Oauth gives far more security than the older traditional way.
    Being afraid that consumer keys and secrets would be embedded (as in hardcoded) into applications is plain old bulx. Applications would not be too versatile when embedding keys.

    Embedding keys will allow the application to post Twitter updates to the application writer's own Twitter account, and not in the account of the enduser. Why on earth he would want to do that anyway.

    I digged into Oauth a couple weeks ago, as the Twitter integration in my website was - of course - not working anymore.

    After 2 weeks of testing, my application easily integrates into Twitter, Foursquare and LinkedIN. Oauth initially gave me headaches, after you write a decent frontend for it, it works fine and opens a lot more doors!

    I now use 1 single script to add applications, generate/get/store consumer/access/token keys/secrets and post to Twitter/Foursquare.
    Great cool extra functionality to show your own Application Name as well as the possibility to add geolocation to your tweets. I love it!

    I added LinkedIN functionality just this morning in less than 5 minutes. I'm not going to use it probably, but it was worth the effort.

    Seems that Facebook integration will take another approach for me as they use Oauth V2 instead of V1.

    Once you go Oauth, you stay there!

    A good tip for people starting with Oauth, watch out for your variable names. I cannot count how many times I wrongly typed 'oath' in my scripts rather than 'oauth'

    Global Options:
     top home search open messages active posts  

    Home / Forums Index / Social Media / Twitter
    rss feed

    All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
    Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
    WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
    © Webmaster World 1996-2014 all rights reserved