Security flaw leads Twitter, others to pull OAuth support

A security hole in OAuth, the open-source protocol that acts as a "valet key" for users' log-in information, has led services like Twitter and Yahoo to temporarily pull their support, CNET News has learned.

Some developers were dismayed when Twitter pulled its support for OAuth, which it had only recently started to implement: blogger Jesse Stay wrote in a post about other restrictions to Twitter's developer API that its removal of OAuth is one of a number of recent examples of how the microblogging service has "pulled the rug out from under its developers."

In the interest of online safety, CNET News has chosen not to make the details of the security hole public. Here are the basics: The hole makes it possible for a hacker to use social-engineering tactics to trick users into exposing their data. The OAuth protocol itself requires tweaking to remove the vulnerability, and a source close to OAuth's development team said that there have been no known violations, that it has been aware of it for a few days now, and has been coordinating responses with vendors. A solution should be announced soon.

This is a particularly big deal for Twitter, as OAuth prevents users of a service from having to hand over their passwords to third-party services that use that service's application program interface (API), and Twitter relies heavily on developer-created enhancements to the service from clients like Twhirl and TweetDeck to statistics and analytics applications.

"OAuth is still in beta, for what it's worth," Twitter API lead Alex Payne said in (of course) a Twitter message on Wednesday. "We should have the current issue with it resolved soon."

Eran Hammer-Lahav, the OAuth community coordinator for this specific threat, spoke to CNET News later on Wednesday afternoon. "We have been aware of this threat for about a week now, and we have been coordinating with all known providers to help them understand the threat and deploy whatever mitigating factors they can," Hammer-Lahav said, adding that full details will be made available on the OAuth Web site at midnight Pacific time on Thursday. "There are no known exploits of this, so there are no reported attacks and the providers have either already deployed matters to address this or are doing it right now."

He highlighted Twitter's role in helping to keep things on the down-low at its own expense; when the service disabled OAuth, it did not mention that there was a security hole at its root.

"The community is extremely grateful to Twitter, despite the fact that they have been standing alone in the line of fire and taking the heat for this threat as if it was their own issue," Hammer-Lahav explained. "They basically took the PR hit in order to allow other companies to address it. They were doing it not to protect themselves, but to protect other companies."

Twitter co-founder Biz Stone responded to the threat on the company blog: "We take security seriously and felt the responsible thing to do was temporarily disable OAuth while this matter was sorted out. Yahoo and others made similar decisions," Stone wrote. "The developers working on Twitter projects that are in our beta test group felt this disruption the hardest and their patience is extremely appreciated."

This post was last expanded at 1:36 p.m. PT.

[jesseestay]

Just a correction - my article wasn't specifically about OAuth, although the debacle with OAuth supports this. My article was about their implementing a 1k follower limit with no notice to developers beforehand, and their practice of doing this over the last year. Twitter has still not explained that the removal of OAuth was because of a hole, nor did they give any notice to developers they were disabling it.

[EdFinkler]

"This is a particularly big deal for Twitter, as OAuth prevents users of a service from having to hand over their passwords to third-party services that use that service's application program interface (API), and Twitter relies heavily on developer-created enhancements to the service from clients like Twhirl and TweetDeck to statistics and analytics applications."

This is something of an exaggeration. Most applications are not using OAuth yet, including ones you mention like Twhirl and TweetDeck. Obviously it's problematic, but the vast majority of Twitter users are not affected by OAuth downtime.

[pallian]

Thanks for the proper explanation - how come twitter couldn't come up with this and let their developers and 3rd party app know in advance? Right now, http://www.tweetizen.com is a big fail whale because we depend on OAuth for login.

[linnetwoods]

There are times when I wonder whether reporting on potential hacker vulnerabilities isn't somewhat akin to rushing up to a bull with a large red rag to see whether it will react... there is always a danger that all it will do is spur bored young hackers into competing with one another to find them before there has been enough time to seal them off...

However tempting it may be for those in the technology reporting industry to compete to be first in with a juicy bit of news, there are times when one has to wonder...

[weyh]

Yea it's kinda frustrating I was ready to announce my twitter app www.skillzdesk.com.
Working on a backup plan here.

[jimp79]

Twitter did the right thing. Telling their developer community that they were disabling OAuth due to a security threat would be the same thing as publicly saying OAuth had a security vulnerability. Even if they didn't reveal the exact details it would given attackers a head start on developing attacks before the other vendors could address the issue. This was a truly selfless act by Twitter.

Eran is not exaggerating when he says that "[Twitter] basically took the PR hit in order to allow other companies to address it." That is absolutely true. Thank you Twitter.

[jscott418]

It leaves some real questions about open source and security in my mind. I really have my doubts about open source being effective in this area by the very fact its open source. I would prefer security be left to companies who create secured code that you know who to go too in a case like this. Sorry but open source is just a income crutch for business. Just another way to save money. But is it worth it??

[jimp79]

@jscott418, you're kidding right. Your ill informed opinion about open source aside OAuth was developed by:

1. Google
2. Yahoo
3. Twitter
4. Netflix
5. MySpace (News Corp)

Among many others. Those 5 companies alone have a combined market cap of $170 Billion and some of the smartest people in the tech industry. I hardly think they need an "income crutch".

Get the facts straight before you shoot your mouth off and embarrass yourself.

Look at the names and companies of the authors of the specification: http://oauth.net/core/1.0/

[gggg sssss]

NEVER let some other thing get at your confidential data. NEVER

[nicholasfloyd]

I totally agree with @jimp79, especially while you can still have the option to leave existing access tokens active.

I would rather someone close the hole, and work on a solid solution than quickly jamming something out there that breaks the protocol. Aces to Eran and co. for the quick response and openness and to twitter for taking the hit - well done fellas.

They are making other Service Providers lives a lot easier.

[petesoder]

In spite of the fact that Twitter silently pulled OAuth and was working with them behind the scenes prior to the vuln being publicized, there are aspects of full-disclosure that ultimately benefit the security of the online ecosystem.

I was very happy that Eran Hammer-Lahav promptly explained the specifics of the problem here: http://www.hueniverse.com/hueniverse/2009/04/explaining-the-oauth-session-fixation-attack.html. As he says in this post, "Understanding the exact details of security threats is important in order to prevent exploits and fix the specification."

For more on the OAuth issue and the complexity of security in general, check out this post on the Stratus Security blog: http://stratusec.com/blog/2009/04/complications-with-oauth/