Add a custom icon to Auth0's Custom Social integrations


Screenshot showing an ID field.

This is so fucking stupid. There is no way to update the logo of a custom social connection on Auth0 without using the command line. On literally every other service I've used, there's a little box to upload a logo. But Okta have a funny idea of what developers want. And, to make matters worse, their documentation contains an error! They don't listen to community requests or take bug reports, so I'm blogging in the hope that this is useful to you. The Command curl --request PATCH \ -H…

Continue reading →

Creating a generic "Log-in with Mastodon" service


A padlock engraved into a circuit board.

Let's say you have a website - your_website.tld - and you want people to log in to it using their Mastodon account. For a traditional social-media site like Twitter or Facebook, you would create an OAuth app on the service that you want. But there are hundreds of Mastodon servers. So you need to create a new app for each one. That sounds hard, but it isn't. Well… not too hard. Here's some code adapted from Infosec.press. It's all written using cURL on the command line - so you should be a…

Continue reading →

$3k Bug Bounty - Twitter's OAuth Mistakes


A Twitter login screen. Highlighted is the information that it cannot access your DMs.

Imagine the scenario. You're trying out some cool new Twitter app. It asks you to sign in via OAuth as per usual. You look through the permissions - phew - it doesn't want to access your Direct Messages. You authorise it - whereupon it promptly leaks to the world all your sexts, inappropriate jokes, and dank memes. Tragic! What's going on? Many years ago the official Twitter API keys were leaked. This means that app authors who can't get their app approved by Twitter are still able to…

Continue reading →

Web Based OAuth Is A Security Nightmare For Apps


Twitter have just released Periscope for Android. I'll do a full review of it later (tl;dr it's Qik with worse resolution) - but for now, I want to focus on the sign up process. You can only sign in with Twitter. That's fine, it's a Twitter product. So I pressed the sign-in button and this is the screen I saw. Is that the Twitter mobile website embedded into the app or is it a phishing page? I've no way of knowing! I can't see the URL bar - for all I know, this could be an elaborate…

Continue reading →

The OAuth / App Anti-Pattern


OAuth was designed to combat an anti-pattern. Typing your username and password into a third party site is bad idea. A really bad idea. I mean, you may think it's a bad idea to give your bank details to a Nigerian prince but that's just peanuts compared to giving away your password to an untrusted site! So, that's why we use OAuth. Rather than handing details to a random site, we authenticate against a trusted site which then redirects us back with an authentication token. That's all well…

Continue reading →

OAuth Will Murder Your Children - for one week only!


Why doesn't Twitter's OAuth let me specify the length of time a 3rd party has access to my account? Take a look at all the crap you've given access to your Twitter account. Are you ever going to use that "See how many of your friends like cheese" app again? No. Long time readers will know that I have some severe usability and security concerns with Twitter's OAuth implementation. See also my interview in The Register. Zach Holman has an entertaining and informative blog post about giving…

Continue reading →

HOWTO: Twitpic and OAuth


Logo of TwitPic.

I am no longer confused! Here is a quick tutorial in how to post images to Twitpic and Twitter when using OAuth. I'm indebted to Steve Corona of Twitpic, for his help with this. You can see the full code on Dabr's Google Code page. First of all, you'll need to have enabled OAuth for your Twitter client. I use Abraham's excellent OAuth libraries for PHP. This tutorial assumes you already have OAuth working. I'll attempt to explain what I'm doing as I go along - but the code should be…

Continue reading →

Twitpic OAuth - I'm Stuck


Logo of TwitPic.

Twitpic has implemented an OAuth API. No more having to hand out passwords to all and sundy. Only I'm too much of a dunderhead to get it working. Perhaps it's a combination of heatstroke or this rotten head-cold, but I just can't see what I'm doing wrong. Any help much appreciated. The easy bit. It's easy to post the data to Twitpic $media_data = array( 'media' => '@'.$_FILES['media']['tmp_name'], 'message' => html_entity_decode($_POST['message']), 'key'=>'123465789132465' );…

Continue reading →

The Perfect Twitter Spam Attack?


This morning, when I logged on to Twitter, I saw a user who I didn't recognise tweeting away in my timeline. I wracked my brains thinking about how they could have gotten in there before I realised it was a long-dormant friend who had changed their name and avatar. But, in thinking about how a spammer could infiltrate one's timeline, I think I came up with a fairly bullet-proof method to spam Twitter users. I present this as an exercise in devious thinking - and also to show how our…

Continue reading →

Twitter's new OAuth Problem


The Twitter logo.

Twitter have announced that all third party site will have to use OAuth.  You will no longer be able to just type in your username and password to get access to Twitter via your favourite web client. Usually, I would be a big fan of this move - especially if it forces password anti-pattern sites like TwitPic to implement the new, secure standard. This means that you won't be able to log in to a third party site by giving them your username and  password.  You will have to use OAuth to se…

Continue reading →

Twitter OAuth - Mobile Failures


I'm a big fan of OAuth - despite some claims to the contrary. It's an excellent way of teaching people not to stick their username and password into any old site which asks for it. Which is why I'm so incredibly disappointed in Twitter's implementation of mobile OAuth. For a service which started out operating by SMS, Twitter takes a surprisingly unenlightened view of mobile. It's main mobile service - http://m.twitter.com/ - is almost completely devoid of useful features. That's one of…

Continue reading →

Twitter, OAuth and Passwords - Oh My!


Twitter has a gaping security hole.  Changing your password won't stop malicious users logging in as you! I received a rather worrying email from Twitter.  Apparently they thought my password had been compromised and needed to be reset. Reset Your Twitter Password After checking to see if it was valid, I went and changed my password.  Any site which relied on a cookie to post to Twitter would have been blocked out. Ha! Gotcha, suckers! The OAuth Problem OAuth tokens are not revoked when th…

Continue reading →