
Twitter's OAuth has a gaping security hole - madmotive
http://shkspr.mobi/blog/?p=994
======
oscardelben
That's a feature, not a bug. In twitter as far as I remember you have the
opportunity to revoke tokens yourself. It's definitely not a security hole.

~~~
mooism2
It's at the intersection of security and user experience. Changing your
password because you think it's been compromised is a different use case from
changing your password because you've been using it for years or forgotten it.

~~~
cgranade
At the risk of encouraging Yet Another Warning, would displaying a notice
after changing passwords that sites are still authorized be a solution? I'd
say that it should have links to more info and to the Connections page, but I
despair of users giving up at any sign of warnings.

As looking at the issues with that infamous little "lock" icon to indicate
HTTPS shows, security and UX intersections are always difficult.

~~~
mooism2
Possibly display a list of recently authorised sites (and when they were
authorised), and make it easy to revoke them without going to another page.

It's difficult because people don't expect another step after they've changed
their password, and (I'd guess) wouldn't immediately understand the need for
it.

Perhaps the answer is Yet Another Configuration Setting: the default option
revokes all site authorisations when you change your password; the alternate
option allows (but forces) you to think about it.

------
rabble
Argh, why do we vote up this crude sensationalist crap?

~~~
digamber_kamat
I think it is possible to criticize in a more civilized and conversant manner.
Moreover it is expected from users at HN.

~~~
tptacek
Calling a person "crap" is uncivilized. Calling a story "crap" is just blunt.

------
madmotive
What approaches do other OAuth providers take to this problem? Revoking all
OAuth tokens on a password change/reset takes away a good chunk of the value
that many people get from using OAuth.

~~~
tomjen2
Agreed, but would it be difficult to have a checkbox marked "revoke all
permissions to use my account from all applications" to the reset password
menu?

~~~
neilk
That's overkill. Perhaps, one day, there will be a need to suspend all oAuth
authorizations while a rogue app is identified.

------
djb_hackernews
Along the same lines, if you build a twitter app that uses Oauth and change
the access from read to read/write the oauth tokens never change and won't
work if you try to do a write operation. Even if you log out and log back in
manually. More problematic the error is '401 - Unauthorized', blah.

The work around recommended by Twitter? Register a new twitter app that is
read/write from the get go. :(

------
orblivion
I guess I don't quite follow the logic here, though I'm not advanced in the
ways of the web yet.

When you connect to a site with OAth, doesn't it require that you a) sign in
using Twitter or b) are already signed in using Twitter? I would think this is
necessary, otherwise people with multiple Twitter accounts, each of which use
the same OAuth site, would end up with a lot of confusion.

So given this, Eva would have to a) sign in to Alice's Twitter account, which
she can't do because Alice changed her password, or b) continue to be signed
into Alice's Twitter account, while Alice changes her password, which would
also be a security compromise of Twitter in general, no need to get into OAuth
at that point.

Did I crack this thing or did I miss something?

------
genieyclo
Seriously though, why do all the security examples and scenarios always
involve an Alice and a Bob?

And why is Alice always the bad guy (or chick)?

~~~
munctional
You need to read Applied Cryptography.

~~~
tptacek
Or, better yet, any other book on cryptography; Applied might be the worst
crypto book available.

~~~
smanek
Can you recommend a better one?

~~~
tptacek
Practical Cryptography, Ferguson and Schneier. Written partly as penance for
Applied Cryptography.

------
tptacek
Summary: No it doesn't.

