Welcome to WebmasterWorld Guest from

Forum Moderators: not2easy & rumbas

Message Too Old, No Replies

Twitter's Change to OAuth Authentication Generates Security Debate

7:48 pm on Sep 5, 2010 (gmt 0)

Senior Member

WebmasterWorld Senior Member tedster is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:May 26, 2000
votes: 0

Twitter recently stopped supporting its Basic authentication for third party applications (there are over 70,000 of them at this point) and now supports only the OAuth authentication method. This has kicked up a storm of controversy.

Ryan Paul at Ars Technica said in a recent article both that OAuth is flawed [arstechnica.com] and that Twitter's implementation is also poor, compounding the security concern. Paul's main focus is the set of security keys - a consumer key and consumer secret.

If the key is embedded in the application itself, it's possible for an unauthorized third party to extract it through disassembly or other similar means. It will then be possible for the unauthorized third party to build software that masquerades as the compromised application when it accesses the service.

Ben Adida, a Harvard University fellow and noted security consultant, countered Ryan Paul's criticism as an unwarranted bashing of Twitter's oAuth [benlog.com]. After debunking some of the major points, Adida writes:

The article makes some very good smaller points that Twitter (and other oAuth providers) should heed:
  • ...having more explicit error messages is a good idea
  • logging out is confusing...
  • giving users more cues for trusting certain apps is probably a good idea...

    These are all useful points. But they're small, and they do not warrant a big scary title.

  • I've been following Ben Adida's contributions to web technology for a long time - I'm not as familiar with Ryan Paul. That's just a disclaimer about me, and not intended as any negative aimed at Mr. Paul. That said, from my layman's point of view it does like Ryan Paul is being overly sensationalist for the sake of publicity rather than any real concern about user security.

    It will be interesting to see how this pans out.
    10:18 pm on Sept 5, 2010 (gmt 0)

    Junior Member

    10+ Year Member

    joined:June 30, 2009
    posts: 56
    votes: 0

    Either way, rewrite some of your apps and it'll be fine...
    11:08 pm on Sept 5, 2010 (gmt 0)

    Senior Member

    WebmasterWorld Senior Member tedster is a WebmasterWorld Top Contributor of All Time 10+ Year Member

    joined:May 26, 2000
    votes: 0

    It does raise the watch level for OAuth as a potential attack vector, however. And there are an increasing number of places that use OAuth - it's not just Twitter.
    9:12 am on Sept 6, 2010 (gmt 0)

    Junior Member

    5+ Year Member

    joined:Aug 12, 2010
    posts: 48
    votes: 0

    The other issue I have with people complaining about OAuth is that the most used alternative is actually giving your username and password to apps, a practice that never should have existed!

    Yes there may be issues with OAuth but compare it to other options and i know what I prefer
    6:13 am on Sept 7, 2010 (gmt 0)

    Senior Member from NL 

    WebmasterWorld Senior Member lammert is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

    joined:Jan 10, 2005
    posts: 2955
    votes: 35

    An interesting step, looking at the announcement one year ago [webmasterworld.com...] that Twitter would stop using OAuth until security issues were addressed. It seems they are more confident in OAuth authentication now.
    7:18 am on Sept 24, 2010 (gmt 0)

    New User

    5+ Year Member

    joined:Jan 8, 2010
    posts: 18
    votes: 0

    Oauth gives far more security than the older traditional way.
    Being afraid that consumer keys and secrets would be embedded (as in hardcoded) into applications is plain old bulx. Applications would not be too versatile when embedding keys.

    Embedding keys will allow the application to post Twitter updates to the application writer's own Twitter account, and not in the account of the enduser. Why on earth he would want to do that anyway.

    I digged into Oauth a couple weeks ago, as the Twitter integration in my website was - of course - not working anymore.

    After 2 weeks of testing, my application easily integrates into Twitter, Foursquare and LinkedIN. Oauth initially gave me headaches, after you write a decent frontend for it, it works fine and opens a lot more doors!

    I now use 1 single script to add applications, generate/get/store consumer/access/token keys/secrets and post to Twitter/Foursquare.
    Great cool extra functionality to show your own Application Name as well as the possibility to add geolocation to your tweets. I love it!

    I added LinkedIN functionality just this morning in less than 5 minutes. I'm not going to use it probably, but it was worth the effort.

    Seems that Facebook integration will take another approach for me as they use Oauth V2 instead of V1.

    Once you go Oauth, you stay there!

    A good tip for people starting with Oauth, watch out for your variable names. I cannot count how many times I wrongly typed 'oath' in my scripts rather than 'oauth'

    Join The Conversation

    Moderators and Top Contributors

    Hot Threads This Week

    Featured Threads

    Free SEO Tools

    Hire Expert Members