Get Smart about Business Spending
A security hole in OAuth, the open-source protocol that acts as a "valet key" for users' log-in information, has led services like Twitter and Yahoo to temporarily pull their support, CNET News has learned.
Some developers were dismayed when Twitter pulled its support for OAuth, which it had only recently started to implement: blogger Jesse Stay wrote in a post about other restrictions to Twitter's developer API that its removal of OAuth is one of a number of recent examples of how the microblogging service has "pulled the rug out from under its developers."
In the interest of online safety, CNET News has chosen not to make the details of the security hole public. Here are the basics: The hole makes it possible for a hacker to use social-engineering tactics to trick users into exposing their data. The OAuth protocol itself requires tweaking to remove the vulnerability, and a source close to OAuth's development team said that there have been no known violations, that it has been aware of it for a few days now, and has been coordinating responses with vendors. A solution should be announced soon.
This is a particularly big deal for Twitter, as OAuth prevents users of a service from having to hand over their passwords to third-party services that use that service's application program interface (API), and Twitter relies heavily on developer-created enhancements to the service from clients like Twhirl and TweetDeck to statistics and analytics applications.
"OAuth is still in beta, for what it's worth," Twitter API lead Alex Payne said in (of course) a Twitter message on Wednesday. "We should have the current issue with it resolved soon."
Eran Hammer-Lahav, the OAuth community coordinator for this specific threat, spoke to CNET News later on Wednesday afternoon. "We have been aware of this threat for about a week now, and we have been coordinating with all known providers to help them understand the threat and deploy whatever mitigating factors they can," Hammer-Lahav said, adding that full details will be made available on the OAuth Web site at midnight Pacific time on Thursday. "There are no known exploits of this, so there are no reported attacks and the providers have either already deployed matters to address this or are doing it right now."
He highlighted Twitter's role in helping to keep things on the down-low at its own expense; when the service disabled OAuth, it did not mention that there was a security hole at its root.
"The community is extremely grateful to Twitter, despite the fact that they have been standing alone in the line of fire and taking the heat for this threat as if it was their own issue," Hammer-Lahav explained. "They basically took the PR hit in order to allow other companies to address it. They were doing it not to protect themselves, but to protect other companies."
Twitter co-founder Biz Stone responded to the threat on the company blog: "We take security seriously and felt the responsible thing to do was temporarily disable OAuth while this matter was sorted out. Yahoo and others made similar decisions," Stone wrote. "The developers working on Twitter projects that are in our beta test group felt this disruption the hardest and their patience is extremely appreciated."
This post was last expanded at 1:36 p.m. PT.
Twitter's OAuth interface is now open to all developers, enabling more secure access to the service via its application programming interface from third-party Web sites. Alex Payne, Twitter's API leader, made the announcement in--what else--a tweet Monday.
OAuth is an open standard for online authentication. It enables a user who stores information such as a password on a particular Web site to then authorize yet another site to access that data, all the while not sharing the user's identity with that site. Twitter OAuth had been offered to some developers in a closed beta a few weeks ago, according to Twitter's OAuth FAQ.
On its Web site, OAuth is likened to a valet key given to a parking attendant--the key only allows access to, say, drive the car, but doesn't enable the trunk to be opened. "You give someone limited access to your car with a special key, while using your regular key to unlock everything...While OpenID is all about using a single identity to sign into many sites, OAuth is about giving access to your stuff without sharing your identity at all (or its secret parts)."
In June, Google announced OAuth support for sharing data through its Google Data interface, then some months later said it would also adopt the standard for widget platform Google Gadgets.
Previously: How I got burned by Twitter's API, why it matters, and how to fix it.
Google has adopted OAuth, an open Web authentication standard for controlling privacy, for its widget platform, Google Gadgets.
If a user has personal information stored on one Web site, OAuth provides a mechanism for him or her to authorize that Web site to share the data with another Web site or widget. It also makes it possible to do this without the first site having to reveal the user's identity to the second site.
Google announced in June that it was to adopt OAuth for sharing data through its Google Data application programming interface. The company on Tuesday said it will now also use OAuth for Google Gadgets, which are interactive mini applications for the desktop that show, for example, personalized news feeds or localized weather reports.
"We also previously announced that third-party developers can build their own iGoogle gadgets that access the OAuth-enabled APIs for Google applications such as Calendar, Picasa, and Docs," Eric Sachs, Google's senior product manager for security, wrote in a blog post on Tuesday. "In fact, since both the gadget platform and OAuth technology are open standards, we are working to help other companies who run services similar to iGoogle to enhance them with support for these standards."
Sachs added that the new OAuth-enabled gadgets being created for iGoogle would also work on those other sites, including many of the gadgets that Google offers for its own applications. "This provides a platform for some interesting mashups," he wrote.
"It would allow a mutual fund, for example, to provide an iGoogle gadget to their customers that would run on iGoogle, and show the user the value of his or her mutual fund, but without giving Google any unique information about the user, such as a Social Security number or account number," Sachs wrote. "In the future, maybe we will even see industries like banks use standards such as OAuth to allow their customers to authorize utility companies to perform direct debit from the user's bank account without that person having to actually share his or her bank account number with the utility vendor."
David Meyer of ZDNet UK reported from London.
- prev
- 1
- next
