As stated above, some applications were sending invalid signatures which we
were accepting as valid. This vulnerability was pointed out by a developer.

Some libraries and code which may have previously worked may be broken by
this security fix.

Thanks,
Doug

On Mon, Jul 27, 2009 at 7:44 PM, Duane Roelands <duane.roela...@gmail.com>wrote:

>
> I am receiving 401 (Unauthorized) when calling
> http://twitter.com/statuses/update.xml
> and passing the following querystring:
>
> oauth_consumer_key=[removed]
> &oauth_nonce=912352&oauth_signature_method=HMAC-
> SHA1&oauth_timestamp=1248748647&oauth_token=19068738-
> hKO8qRlHPfJWqRHRkd62dGb4IiyXaXUy35Cqz58&oauth_version=1.0&status=This
> +is+a+test&oauth_signature=Fl0kqJdHY5MkvxjUZQ%2bFn%2fxGORo%3d
>
> This code was working this afternoon and has not been changed.
>
> On Jul 27, 10:38 pm, goodtest <goodtest...@gmail.com> wrote:
> > Are we sure there is no further regression bug in this new fix?
> >
> > On Jul 27, 7:14 pm, Doug Williams <d...@twitter.com> wrote:
> >
> >
> >
> > > If you are still seeing errors you should check your code to ensure
> that you
> > > are sending the correct signature.
> > > Thanks,
> > > Doug
> >
> > > On Mon, Jul 27, 2009 at 7:10 PM, winrich <winric...@gmail.com> wrote:
> >
> > > > mine broke too. i wonder though, i'm using the oauth python libraries
> >
> > > > On Jul 27, 6:35 pm, chinaski007 <chinaski...@gmail.com> wrote:
> > > > > Doug:
> >
> > > > > Does this mean that Marcel made a fix for this?  Or rather that we
> > > > > should examine our code to find the culprit?
> >
> > > > > Thanks,
> > > > > Peter Bray
> >
> > > > > On Jul 27, 6:24 pm, Doug Williams <d...@twitter.com> wrote:
> >
> > > > > > Updating you guys on this problem. A bug was reported off list
> that
> > > > informed
> > > > > > us we were not always verifying signatures. Today we shipped a
> fix for
> > > > this
> > > > > > problem which ensures that we are correctly verifying signatures.
> > > > > > If you are still seeing invalid signature errors you should
> examine
> > > > > > your code and ensure you are correctly signing requests
> > > > > > as per the spec.
> > > > > > Thanks,
> > > > > > Doug
> >
> > > > > > On Mon, Jul 27, 2009 at 6:05 PM, Doug Williams <d...@twitter.com
> >
> > > > wrote:
> > > > > > > Marcel is shipping a fix for this as I type.
> >
> > > > > > > Thanks,
> > > > > > > Doug
> >
> > > > > > > 2009/7/27 João Pereira <joaomiguel.pere...@gmail.com>
> >
> > > > > > > Same here.
> >
> > > > > > >> On Tue, Jul 28, 2009 at 1:26 AM, goodtest <
> goodtest...@gmail.com>
> > > > wrote:
> >
> > > > > > >>> twitter api server seems to be down (getting invalid
> signature)
> > > > since
> > > > > > >>> 5.15 pm pst
>

Reply via email to