January 04, 2009

Twitter's OAuth Target Slipping Amid Increased Security Pressures

Over the weekend, more than one exploit, sent by way of Twitter's Direct Message feature, has made it around the Web. As Twitter's growth has continued, the microblogging service looks to be a new domain for scammers and spammers, previously contained to traditional e-mail. And as the shenanigans gain in momentum, so too does the call for Twitter to implement OAuth, the open protocol that allows for secure API authorization, which has become popular among many Web tools in use today. But Twitter employees' postings in the service's development group, and their own notifications on the site, show a shifting roadmap, while they also try to divert criticsm by separating the need for OAuth from the weekend's incidents.


An example of one Twitter phishing attempt.

Twitter's success has seen a groundswell of applications being developed that require users to enter their user name and password on third party sites. Given Twitter's lack of OAuth support, Twitter users have grown used to posting their data whenever they are asked, and in the rare case a site has been found to malicious, it forces them to once again change their passwords to protect their account.

The OAuth Web site spells out the reason behind the project's development, saying: "If you're storing protected data on your users' behalf, they shouldn't be spreading their passwords around the web to get access to it."

The weekend's activity featured a mock Twitter login page, where users were prompted to enter their credentials. (See: CNet: Twitter phishing scam may be spreading) While this specific attack would not have been solved by OAuth, but instead by users simply paying attention to where they were logging in, you can see Twitter's attitude on the current process.

Alex Payne, a lead developer of Twitter told one user on Saturday: "Right now, you can't see which apps are using your requests. You can change your password, though.", and later told another user, "We're trying to discourage against clicking on the link." Pretty basic stuff.

When pressed on whether Twitter was going to implement OAuth, and reduce users' growing too comfortable with posting their passwords everywhere, Alex said, "OAuth isn't a panacea against phishing and other web security issues. We're still going to support it," and following on, echoed the OAuth site by saying, "A main benefit is that OAuth limits the scope of activities that can be done with a user's credentials," while also linking to a post from April of 2008 that showed how phishing scams could not be stopped by OAuth. See: Phishing Fools?

So, we get that the phishing problem won't get solved through adding OAuth, but we do see more and more applications getting your password. As the New Year came in, Twply managed to get many passwords, and then was sold the same day. (See: Scobleizer: Twitter spam, effective or idiotic?)

Alex mentioned Twitter is going to support OAuth. But when?

In the Twitter Development Talk forum, you can see the target continues to move.
Alex, on November 24th of last year, wrote: "We're currently waiting on our User Experience team to put the final touches on a BETA release of our OAuth support. It's going to have bugs, to be sure, but we should have it out there soon. "
On November 26th, after being pressed for a date, he said, "As I don't know the entire schedule of our UX team, I can't. I would say less than a month and closer to a week by far, but please don't hold me to that."
On December 8th, Alex gave more specific timing: "It won't be available for testing this week, but should be available before the end of the month. I'd definitely encourage you not to launch on it, though, as it will be a beta."
Now more than a month from the first comment, amidst more developer pressure, Alex says the next major version of the API will be OAuth-only, but deflects some of the criticism by pointing fingers at other services that have not yet jumped on the OAuth bandwagon.

This afternoon, January 4th, Alex said:
"Of course, once we offer OAuth, it would be nice to see the same community pressure that's been applied to us put towards companies like Amazon. The Amazon.com iPhone app collects my username and password, and that account is actually tied to my credit card information. Where are the blog posts about their anti-patterns?"
Now, there's no question I'm no security expert. Don't forget that on November 12th, I once wrote, Twitterank Can Have My Password, No Questions Asked, and Alex looks to be feeling the strain of other non-experts, like me, pushing the team to get more robust. He commented on Twitter this evening, "It doesn't help that web folks generally have next to zero security/crypto education," a bucket I'm no doubt in.

The groundswell of demand on Twitter to improve its security measures, to get to OAuth as quickly as possible has no doubt reached a crescendo in the wake of this week's exploits - both those solvable by the project and those that are merely phishing scams. But it looks like Twitter developers' confidence has been shaken by so many promises being out there, and the deadline continuing to move.