Twitter recently stopped supporting its Basic authentication for third party applications (there are over 70,000 of them at this point) and now supports only the OAuth authentication method. This has kicked up a storm of controversy.
Ryan Paul at Ars Technica said in a recent article both that
OAuth is flawed [arstechnica.com] and that Twitter's implementation is also poor, compounding the security concern. Paul's main focus is the set of security keys - a consumer key and consumer secret.
If the key is embedded in the application itself, it's possible for an unauthorized third party to extract it through disassembly or other similar means. It will then be possible for the unauthorized third party to build software that masquerades as the compromised application when it accesses the service.
Ben Adida, a Harvard University fellow and noted security consultant, countered Ryan Paul's criticism as
an unwarranted bashing of Twitter's oAuth [benlog.com]. After debunking some of the major points, Adida writes:
The article makes some very good smaller points that Twitter (and other oAuth providers) should heed:
...having more explicit error messages is a good idea
logging out is confusing...
giving users more cues for trusting certain apps is probably a good idea...
These are all useful points. But they're small, and they do not warrant a big scary title.
I've been following Ben Adida's contributions to web technology for a long time - I'm not as familiar with Ryan Paul. That's just a disclaimer about me, and not intended as any negative aimed at Mr. Paul. That said, from my layman's point of view it does like Ryan Paul is being overly sensationalist for the sake of publicity rather than any real concern about user security.
It will be interesting to see how this pans out.
