

Twitter OAuth Outage Was A Vulnerability In OAuth Itself - tptacek
http://groups.google.com/group/twitter-api-announce/browse_thread/thread/d2ee68712e015041

======
tybris
These community-designed security protocols make me really tired. Just leave
it to the experts.

------
moeffju
The advisory is up at <http://oauth.net/advisories/2009-1> and the blogs are
abuzz with more (or, in enough cases, less) information. Basically, the
problem is that an attacker can keep a request token around and have the
victim complete the authentication with the old request token, thus gaining
authorization in the victim's name. There is no way for the consumer to tell
what's going on, currently.

The suggested workarounds are monitoring and a strong statement about starting
Auth workflows from untrusted places. But we all know how well those work. I'm
curious about OAuth 1.1 or whatever.

------
briansmith
Didn't _any_ qualified security researchers do a security assessment of OAuth
when it was in development? This spec was finalized in 2007 which means we've
had at least two years to find this _obvious_ problem.

We've known from the start that OAuth and OpenID are vulnerable to various
social engineering attacks, and I guess the communities using each have
accepted that as the lesser of two evils. But, you know, somebody has to check
that the protocol actually works at least a little.

------
timdorr
Any blackhats have any clues as to what this is about? I'm too impatient to
wait 7.5 hours :P

~~~
tptacek
The CNet article claims the vulnerability involves "social engineering"
attacks that will coerce users into giving up personal information. "Social
engineering" in web apps is usually code for "landmine links", and the OAuth
protocol itself doesn't communicate any user information of any sort (just an
opaque token).

