On Sun, Jan 4, 2009 at 5:20 PM, Lachlan Hardy <[email protected]>wrote:
> > Those who expect OAuth to be a panacea for identity theft on Twitter >> simply don't understand the issues involved. Operating a modern >> computer involves a lot of trust - trusting applications you run on >> your machine, trusting web sites you set up accounts on, and the like. >> And when you trust, there's always the potential for getting burned. >> OAuth doesn't change that fundamentally. > > > I agree completely with your post, Ed. I put forward my thoughts on OAuth > and phishing in April last year: > http://log.lachstock.com.au/past/2008/4/1/phishing-fools/ > > Basically, I think OAuth is awesome, but the idea that it's going to > somehow stop phishing is extreme. > I don't get how it won't help fight phishing. Right now the worm is being spread via an App. (if it's not, then Twitter really needs a Captcha on the Twitter login page) At the moment all Twitter can do is chase down IPs to kill the App. With OAuth it would be as simple as killing the API key itself and the worm would be dead. Could they go in and create another one? Probably, but it makes it a whole lot harder for someone to create such a worm. This is the reason most of the Facebook worms right now are spreading through simple screen scraping and not the App platform. It's too much work to do it on the App platform there because Facebook would just shut you down each time their alarms went off. Jesse
