Compromising Twitter’s OAuth security system

, ,

Ryan Paul for Ars:

Twitter officially disabled Basic authentication this week, the final step in the company’s transition to mandatory OAuth authentication. Sadly, Twitter’s extremely poor implementation of the OAuth standard offers a textbook example of how to do it wrong. This article will explore some of the problems with Twitter’s OAuth implementation and some potential pitfalls inherent to the standard. I will also show you how I managed to compromise the secret OAuth key in Twitter’s very own official client application for Android.

via Schneier

Hello There

My name is Phil Nelson and I make beautiful objects for a troubled world. I'm a designer / developer / writer / director / editor / narrator at Occipital.

Stuff I Make

More To See and Read

Browse the Archives

Hey. What're you doing all the way down here? You get lost? Just looking around? Cool. I like you.