
Twitter Security Issue - swdesignguy
http://brianshaler.com/blog/2008/11/23/twitter-security-issue/
======
ivankirigin
How about this for a twitter security issue: users are accustomed to giving
their passwords to many third party twitter-API apps.

~~~
tlrobinson
Yeah they need to implement OAuth or something similar.

~~~
danw
From what I understand is that OAuth was created when twitter developers
identified this as a problem. The trouble is they were too busy fighting to
keep twitter alive to roll it out on their own api.

------
aston
The fix for this sort of thing is pretty simple. Just keep a nonce on a user
(the "user version" if you will) that increments every time a user makes a
change to their login credentials, store that nonce in their cookie, and if
the one in the cookie is lower than the one on the server treat it as a
logout.

That said, this is sort of an unserious security "issue" for most people
between not really caring about the security of their account and reasonably
short cookie lifetime settings.

------
sh1mmer
Twitter have said they are going to implement OAuth (which would solve this
problem) on their API page. However, they have shown no progress to my
knowledge of doing this. It would be great for the community to push them
towards it.

Twitter seem to have been so busy fire fighting that a lot of interesting
stuff has seemingly dropped off the roadmap (such as XMPP).

------
laut
Users should be encouraged to not share their password with anyone or
anything, but twitter. 3rd party apps could use OAuth.

------
tlrobinson
I suspect this is actually a very common issue. Unless you explicitly expire
all sessions for a user when they change their password then this will happen.

~~~
kajecounterhack
Well when you say common, do you mean with another application that utilizes
an open API that is connected to many popular platforms and that is as widely
used as Twitter?

Not many come to mind.

~~~
tlrobinson
I would _guess_ that it's true for many APIs which rely on the user providing
their password to the 3rd party application.

Of course that's the bigger problem. The user shouldn't _have_ to give their
password out. It's somewhat ironic that Twitter doesn't implement OAuth or
something similar since Blaine Cook _started_ OAuth.

------
bluelu
Surely Blaine Cook didn't want to give up the admin account he had access to.
;)

