<< Does User Bob see two separate entries for OAuth App Foo in his list
of authorized apps in Twitter, or only one? >>

Its only one.

<<If he sees only one, how will he know that Phishing Dude has also
authorized his own slimy copy of OAuth App Foo to work on User Bob's
account? >>
AFAIK there is no way to detect that.


On Wed, Oct 14, 2009 at 5:29 PM, Dewald Pretorius <dpr...@gmail.com> wrote:

>
> Here's another question.
>
> User Bob installs OAuth App Foo on his desktop, and he authorizes
> access to it.
>
> Then he installs the app on his laptop and authorizes access to it.
>
> Does User Bob see two separate entries for OAuth App Foo in his list
> of authorized apps in Twitter, or only one?
>
> If he sees two, how does he know which one is which?
>
> If he sees only one, how will he know that Phishing Dude has also
> authorized his own slimy copy of OAuth App Foo to work on User Bob's
> account?
>
> Dewald
>
> On Oct 14, 4:46 am, Chris Babcock <cbabc...@kolonelpanic.org> wrote:
> > On Tue, 13 Oct 2009 23:48:13 -0700 (PDT)
> >
> > ruckuus <ruck...@gmail.com> wrote:
> > > Is there anyone have an experience to hijack a twitter account?
> >
> > The security profile of a Twitter account is no different than that of
> > many other on-line services. The major weaknesses are signing in over
> > HTTP, accepting insecure cookies for account modifications and password
> > 'reminders' (actually replacements) by email.
> >
> > > well, the story is really weird. There is a celebrity's account
> > > hijacked (password stolen, etc), and then he created a new account,
> > > the told the world that he could do something in his old account, e.g.
> > > sending a new tweet as usual.
> >
> > > This case is the same with: Bob can tweet in Alice's timeline. Can Bob
> > > do that? This is almost being very stupid question, and the answer is:
> > > IMPOSSIBLE, or possible with an 'if' ...?
> >
> > There are a couple scenarios.
> >
> > The thing that gets overlooked in these discussions is how these
> > situations benefit the attacker. It's not a technical challenge, so
> > there's no Cracker Glory in it. There's no money involved. Twitter could
> > always return control of a hijacked account manually. It's a risk
> > without reward. Most anyone suitably incentivized to run exploits would
> > be better served by attacking the service as a whole anonymously than
> > attacking one account.
> >
> > > To make long story short, I am developing a twitter client in C, and I
> > > am implementing oauth with liboauth and I feel I do not deeply
> > > understood of oauth in the case above (hijack vulnerability).
> >
> > If you use OAuth with a desktop client, you are distributing your
> > secret key with the application. Users should not assume that an
> > authorization request for your app is from their copy of the app
> > unless they initiated the transaction.
> >
> > Chris Babcock
>

Reply via email to