Categories
Links

Compromising Twitter’s OAuth security system

[Ryan Paul for Ars:][link]

>Twitter officially disabled Basic authentication this week, the final step in the company’s transition to mandatory OAuth authentication. Sadly, Twitter’s extremely poor implementation of the OAuth standard offers a textbook example of how to do it wrong. This article will explore some of the problems with Twitter’s OAuth implementation and some potential pitfalls inherent to the standard. I will also show you how I managed to compromise the secret OAuth key in Twitter’s very own official client application for Android.

via [Schneier][via]

[link]: http://arstechnica.com/security/guides/2010/09/twitter-a-case-study-on-how-to-do-oauth-wrong.ars “Compromising Twitter’s OAuth security system”
[via]: http://www.schneier.com/blog/archives/2010/09/problems_with_t.html “Bruce Schneier’s post on this”

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.