Comments on: Security flaw leads Twitter, others to pull OAuth support

Use of the open-source protocol has been put on hold by some major Web services until a security issue has been resolved, developers tell CNET News.

[jesseestay]

Just a correction - my article wasn't specifically about OAuth, although the debacle with OAuth supports this. My article was about their implementing a 1k follower limit with no notice to developers beforehand, and their practice of doing this over the last year. Twitter has still not explained that the removal of OAuth was because of a hole, nor did they give any notice to developers they were disabling it.

[EdFinkler]

"This is a particularly big deal for Twitter, as OAuth prevents users of a service from having to hand over their passwords to third-party services that use that service's application program interface (API), and Twitter relies heavily on developer-created enhancements to the service from clients like Twhirl and TweetDeck to statistics and analytics applications."

This is something of an exaggeration. Most applications are not using OAuth yet, including ones you mention like Twhirl and TweetDeck. Obviously it's problematic, but the vast majority of Twitter users are not affected by OAuth downtime.

[pallian]

Thanks for the proper explanation - how come twitter couldn't come up with this and let their developers and 3rd party app know in advance? Right now, http://www.tweetizen.com is a big fail whale because we depend on OAuth for login.

[linnetwoods]

There are times when I wonder whether reporting on potential hacker vulnerabilities isn't somewhat akin to rushing up to a bull with a large red rag to see whether it will react... there is always a danger that all it will do is spur bored young hackers into competing with one another to find them before there has been enough time to seal them off...

However tempting it may be for those in the technology reporting industry to compete to be first in with a juicy bit of news, there are times when one has to wonder...

[weyh]

Yea it's kinda frustrating I was ready to announce my twitter app www.skillzdesk.com.
Working on a backup plan here.

[jimp79]

Twitter did the right thing. Telling their developer community that they were disabling OAuth due to a security threat would be the same thing as publicly saying OAuth had a security vulnerability. Even if they didn't reveal the exact details it would given attackers a head start on developing attacks before the other vendors could address the issue. This was a truly selfless act by Twitter.

Eran is not exaggerating when he says that "[Twitter] basically took the PR hit in order to allow other companies to address it." That is absolutely true. Thank you Twitter.

[jscott418]

It leaves some real questions about open source and security in my mind. I really have my doubts about open source being effective in this area by the very fact its open source. I would prefer security be left to companies who create secured code that you know who to go too in a case like this. Sorry but open source is just a income crutch for business. Just another way to save money. But is it worth it??

[jimp79]

@jscott418, you're kidding right. Your ill informed opinion about open source aside OAuth was developed by:

1. Google
2. Yahoo
3. Twitter
4. Netflix
5. MySpace (News Corp)

Among many others. Those 5 companies alone have a combined market cap of $170 Billion and some of the smartest people in the tech industry. I hardly think they need an "income crutch".

Get the facts straight before you shoot your mouth off and embarrass yourself.

Look at the names and companies of the authors of the specification: http://oauth.net/core/1.0/

[gggg sssss]

NEVER let some other thing get at your confidential data. NEVER

[nicholasfloyd]

I totally agree with @jimp79, especially while you can still have the option to leave existing access tokens active.

I would rather someone close the hole, and work on a solid solution than quickly jamming something out there that breaks the protocol. Aces to Eran and co. for the quick response and openness and to twitter for taking the hit - well done fellas.

They are making other Service Providers lives a lot easier.

[petesoder]

In spite of the fact that Twitter silently pulled OAuth and was working with them behind the scenes prior to the vuln being publicized, there are aspects of full-disclosure that ultimately benefit the security of the online ecosystem.

I was very happy that Eran Hammer-Lahav promptly explained the specifics of the problem here: http://www.hueniverse.com/hueniverse/2009/04/explaining-the-oauth-session-fixation-attack.html. As he says in this post, "Understanding the exact details of security threats is important in order to prevent exploits and fix the specification."

For more on the OAuth issue and the complexity of security in general, check out this post on the Stratus Security blog: http://stratusec.com/blog/2009/04/complications-with-oauth/