2009/1/2 Cameron Kaiser <[email protected]>: > So let's say Scoble is right. How, in fact, does OAuth prevent a bad > actor from using credentials to act badly? > > OAuth solves many problems; it doesn't solve this one.
There are several problems to be solved, though. The first is a malicious actor with access to a single system (in this case, twitter) spamming. OAuth doesn't solve the problem of someone using an account to spam using messages from that user (unless that app doesn't need to message, and twitters OAuth implementation has granular permissions). The second is a malicious actor with access to a single system gaining control of other systems that user has access to because they've used the same username and/or password. Whilst this is bad practice on the part of the user, we'd be silly to pretend that this isn't a large problem. OAuth *does* solve that problem, which is one of the problems in this scenario. The third is a malicious actor with access to a single system locking the user out of their own account (by changing their password) and claiming the account for themselves (which has been known to happen with gmail accounts, for example). Twitter, so far as I'm aware, doesn't allow changes of passwords via the API, and I would assume that an OAuth implementation would only allow access to the API, and not the web interface. Even were these things not the case, it wouldn't make sense to allow an OAuth client to change the user password. So OAuth does solve this problem, also. Mark
