A security hole in OAuth, the open-source protocol that acts as a "valet key" for users' log-in information, has led services like Twitter and Yahoo to temporarily pull their support, CNET News has learned.
Some developers were dismayed when Twitter pulled its support for OAuth, which it had only recently started to implement: blogger Jesse Stay wrote in a post about other restrictions to Twitter's developer API that its removal of OAuth is one of a number of recent examples of how the microblogging service has "pulled the rug out from under its developers."
In the interest of online safety, CNET News has chosen not to make the details of the security hole public. Here are the basics: The hole makes it possible for a hacker to use social-engineering tactics to trick users into exposing their data. The OAuth protocol itself requires tweaking to remove the vulnerability, and a source close to OAuth's development team said that there have been no known violations, that it has been aware of it for a few days now, and has been coordinating responses with vendors. A solution should be announced soon.
This is a particularly big deal for Twitter, as OAuth prevents users of a service from having to hand over their passwords to third-party services that use that service's application program interface (API), and Twitter relies heavily on developer-created enhancements to the service from clients like Twhirl and TweetDeck to statistics and analytics applications.
"OAuth is still in beta, for what it's worth," Twitter API lead Alex Payne said in (of course) a Twitter message on Wednesday. "We should have the current issue with it resolved soon."
Eran Hammer-Lahav, the OAuth community coordinator for this specific threat, spoke to CNET News later on Wednesday afternoon. "We have been aware of this threat for about a week now, and we have been coordinating with all known providers to help them understand the threat and deploy whatever mitigating factors they can," Hammer-Lahav said, adding that full details will be made available on the OAuth Web site at midnight Pacific time on Thursday. "There are no known exploits of this, so there are no reported attacks and the providers have either already deployed matters to address this or are doing it right now."
He highlighted Twitter's role in helping to keep things on the down-low at its own expense; when the service disabled OAuth, it did not mention that there was a security hole at its root.
"The community is extremely grateful to Twitter, despite the fact that they have been standing alone in the line of fire and taking the heat for this threat as if it was their own issue," Hammer-Lahav explained. "They basically took the PR hit in order to allow other companies to address it. They were doing it not to protect themselves, but to protect other companies."
Twitter co-founder Biz Stone responded to the threat on the company blog: "We take security seriously and felt the responsible thing to do was temporarily disable OAuth while this matter was sorted out. Yahoo and others made similar decisions," Stone wrote. "The developers working on Twitter projects that are in our beta test group felt this disruption the hardest and their patience is extremely appreciated."
This post was last expanded at 1:36 p.m. PT.
Twitter's OAuth interface is now open to all developers, enabling more secure access to the service via its application programming interface from third-party Web sites. Alex Payne, Twitter's API leader, made the announcement in--what else--a tweet Monday.
OAuth is an open standard for online authentication. It enables a user who stores information such as a password on a particular Web site to then authorize yet another site to access that data, all the while not sharing the user's identity with that site. Twitter OAuth had been offered to some developers in a closed beta a few weeks ago, according to Twitter's OAuth FAQ.
On its Web site, OAuth is likened to a valet key given to a parking attendant--the key only allows access to, say, drive the car, but doesn't enable the trunk to be opened. "You give someone limited access to your car with a special key, while using your regular key to unlock everything...While OpenID is all about using a single identity to sign into many sites, OAuth is about giving access to your stuff without sharing your identity at all (or its secret parts)."
In June, Google announced OAuth support for sharing data through its Google Data interface, then some months later said it would also adopt the standard for widget platform Google Gadgets.
Previously: How I got burned by Twitter's API, why it matters, and how to fix it.
Google has adopted OAuth, an open Web authentication standard for controlling privacy, for its widget platform, Google Gadgets.
If a user has personal information stored on one Web site, OAuth provides a mechanism for him or her to authorize that Web site to share the data with another Web site or widget. It also makes it possible to do this without the first site having to reveal the user's identity to the second site.
Google announced in June that it was to adopt OAuth for sharing data through its Google Data application programming interface. The company on Tuesday said it will now also use OAuth for Google Gadgets, which are interactive mini applications for the desktop that show, for example, personalized news feeds or localized weather reports.
"We also previously announced that third-party developers can build their own iGoogle gadgets that access the OAuth-enabled APIs for Google applications such as Calendar, Picasa, and Docs," Eric Sachs, Google's senior product manager for security, wrote in a blog post on Tuesday. "In fact, since both the gadget platform and OAuth technology are open standards, we are working to help other companies who run services similar to iGoogle to enhance them with support for these standards."
Sachs added that the new OAuth-enabled gadgets being created for iGoogle would also work on those other sites, including many of the gadgets that Google offers for its own applications. "This provides a platform for some interesting mashups," he wrote.
"It would allow a mutual fund, for example, to provide an iGoogle gadget to their customers that would run on iGoogle, and show the user the value of his or her mutual fund, but without giving Google any unique information about the user, such as a Social Security number or account number," Sachs wrote. "In the future, maybe we will even see industries like banks use standards such as OAuth to allow their customers to authorize utility companies to perform direct debit from the user's bank account without that person having to actually share his or her bank account number with the utility vendor."
David Meyer of ZDNet UK reported from London.
Google now supports the open OAuth standard for sharing data through its Google Data interface, a move that could make it easier to tap into information stored at Google property.
Google headquarters in Mountain View, Calif.
(Credit: Stephen Shankland/CNET News.com)The Google Data API (application programming interface)--GData for short--provides a conduit whereby other Web sites can slurp out data stored at Google. For personal information, such as photos at Picasa or contacts at Gmail, access to that information requires authentication. OAuth provides a standard way to perform that authentication, which means programmers at least theoretically should have an easier time writing code.
Google announced the OAuth support Thursday on its Data API blog.
Also Thursday, Google announced that Google Finance is now supported in the Google Data API. That means data could be retrieved to build, for example, a gadget with a live chart showing changing portfolio value.
And since the API permits two-way communications, it also means an outside service could update a user's information at Google Finance, for example with recent stock trades.
Google engineering director David Glazer, right, talks to Matt Waddell at the Campfire One event at Google headquarters in Mountain View, Calif. Behind him is the skull of a T. Rex skeleton.
(Credit: Stephen Shankland/CNET Networks)MOUNTAIN VIEW, Calif.--Maybe it was because Google preaching to the social-networking choir, or maybe it was the toasty campfires and hot cocoa, but demonstrations of Google's new Friend Connect service seemed generally well received Monday night.
Google executives showed off the technology, a Google-hosted application that designed to let Web site coders easily add social features to their sites, at the company's third Campfire One event at the company's headquarters here. Previous debuts at the events were of two other significant developer-oriented software technologies, OpenSocial and App Engine.
Program manager Mussie Shore gave the central demonstration sprucing up a guacamole-lovers' site with the ability to let users join as members, comment, post photos, rate recipes, and spread word of those activities to contacts on existing social-networking sites LinkedIn, Facebook, MySpace, Orkut, or hi5.
Ingrid Michaelson webmaster Jenny Begin and Nat Brown, CTO of iLike, show Friend Connect enhancements they made to the Ingrid Michaelson Web page.
(Credit: Stephen Shankland/CNET Networks)Google Friend Connect employs several more-or-less standard networking technologies--OpenSocial as a foundation for richer Web applications; OpenID to handle login chores; OAuth to let users approve the grafting of new branches onto their existing social networks such as Facebook. It's yet another option in the complicated and fast-changing set of alliances and standards efforts in the social-networking domain.
Attendees I spoke to generally waxed positive about it. And Don MacAskill, Chief Executive of photo-sharing site SmugMug, said he'd be interested in trying it out.
In his demo, Shore picked some social applications from an online catalog, tweaked minor parameters such as background color, clicked a button to generate a few lines of JavaScript, copied it into his Web page, and exercised the new features on the revamped Web site.
Program manager Mussie Shore demonstrates Friend Connect. Key to the process is the 'generate code' button that produces some JavaScript that can be copied into a Web site.
(Credit: Stephen Shankland/CNET Networks)
Shore touts the benefits of Friend Connect.
(Credit: Stephen Shankland/CNET Networks)
The crowd settles in at Google's third Campfire One event in the Googleplex courtyard.
(Credit: Stephen Shankland/CNET Networks)
The Googleplex by night. Yes, the roof is crooked.
(Credit: Stephen Shankland/CNET Networks)
- prev
- 1
- next
