$3k Bug Bounty - Twitter's OAuth Mistakes

by @edent | , , , , | 4 comments | 400 words | Read ~15,718 times.

A Twitter login screen. Highlighted is the information that it cannot access your DMs.

Imagine the scenario. You're trying out some cool new Twitter app. It asks you to sign in via OAuth as per usual. You look through the permissions - phew - it doesn't want to access your Direct Messages. You authorise it - whereupon it promptly leaks to the world all your sexts, inappropriate jokes, and…

Web Based OAuth Is A Security Nightmare For Apps

by @edent | , , , | 4 comments | 750 words | Read ~1,146 times.

Twitter have just released Periscope for Android. I'll do a full review of it later (tl;dr it's Qik with worse resolution) - but for now, I want to focus on the sign up process. You can only sign in with Twitter. That's fine, it's a Twitter product. So I pressed the sign-in button and this…

The OAuth / App Anti-Pattern

by @edent | , , , , | 13 comments | 400 words | Read ~1,699 times.

OAuth was designed to combat an anti-pattern. Typing your username and password into a third party site is bad idea. A really bad idea. I mean, you may think it's a bad idea to give your bank details to a Nigerian prince but that's just peanuts compared to giving away your password to an untrusted…

OAuth Will Murder Your Children - for one week only!

by @edent | , , | 300 words | Read ~109 times.

Why doesn't Twitter's OAuth let me specify the length of time a 3rd party has access to my account? Take a look at all the crap you've given access to your Twitter account. Are you ever going to use that "See how many of your friends like cheese" app again? No. Long time readers will…

HOWTO: Twitpic and OAuth

by @edent | , , , , , | 25 comments | 700 words | Read ~5,140 times.

I am no longer confused! Here is a quick tutorial in how to post images to Twitpic and Twitter when using OAuth. I'm indebted to Steve Corona of Twitpic, for his help with this. You can see the full code on Dabr's Google Code page. First of all, you'll need to have enabled OAuth for…

Twitpic OAuth - I'm Stuck

by @edent | , , , , , | 14 comments | 300 words | Read ~3,278 times.

Twitpic has implemented an OAuth API. No more having to hand out passwords to all and sundy. Only I'm too much of a dunderhead to get it working. Perhaps it's a combination of heatstroke or this rotten head-cold, but I just can't see what I'm doing wrong. Any help much appreciated. The easy bit. It's…

The Perfect Twitter Spam Attack?

by @edent | , , , , , | 2 comments | 700 words | Read ~210 times.

This morning, when I logged on to Twitter, I saw a user who I didn't recognise tweeting away in my timeline. I wracked my brains thinking about how they could have gotten in there before I realised it was a long-dormant friend who had changed their name and avatar. But, in thinking about how a…

Twitter's new OAuth Problem

by @edent | , , , | 4 comments | 550 words | Read ~451 times.

Twitter have announced that all third party site will have to use OAuth.  You will no longer be able to just type in your username and password to get access to Twitter via your favourite web client. Usually, I would be a big fan of this move - especially if it forces password anti-pattern sites…

Twitter OAuth - Mobile Failures

by @edent | , , , , | 4 comments | 550 words | Read ~999 times.

I'm a big fan of OAuth - despite some claims to the contrary. It's an excellent way of teaching people not to stick their username and password into any old site which asks for it. Which is why I'm so incredibly disappointed in Twitter's implementation of mobile OAuth. For a service which started out operating…

Twitter, OAuth and Passwords - Oh My!

by @edent | , , , , | 39 comments | 550 words | Read ~5,535 times.

Twitter has a gaping security hole.  Changing your password won't stop malicious users logging in as you! I received a rather worrying email from Twitter.  Apparently they thought my password had been compromised and needed to be reset. After checking to see if it was valid, I went and changed my password.  Any site which…