<< Does User Bob see two separate entries for OAuth App Foo in his list of authorized apps in Twitter, or only one? >>
Its only one. <<If he sees only one, how will he know that Phishing Dude has also authorized his own slimy copy of OAuth App Foo to work on User Bob's account? >> AFAIK there is no way to detect that. On Wed, Oct 14, 2009 at 5:29 PM, Dewald Pretorius <[email protected]> wrote: > > Here's another question. > > User Bob installs OAuth App Foo on his desktop, and he authorizes > access to it. > > Then he installs the app on his laptop and authorizes access to it. > > Does User Bob see two separate entries for OAuth App Foo in his list > of authorized apps in Twitter, or only one? > > If he sees two, how does he know which one is which? > > If he sees only one, how will he know that Phishing Dude has also > authorized his own slimy copy of OAuth App Foo to work on User Bob's > account? > > Dewald > > On Oct 14, 4:46 am, Chris Babcock <[email protected]> wrote: > > On Tue, 13 Oct 2009 23:48:13 -0700 (PDT) > > > > ruckuus <[email protected]> wrote: > > > Is there anyone have an experience to hijack a twitter account? > > > > The security profile of a Twitter account is no different than that of > > many other on-line services. The major weaknesses are signing in over > > HTTP, accepting insecure cookies for account modifications and password > > 'reminders' (actually replacements) by email. > > > > > well, the story is really weird. There is a celebrity's account > > > hijacked (password stolen, etc), and then he created a new account, > > > the told the world that he could do something in his old account, e.g. > > > sending a new tweet as usual. > > > > > This case is the same with: Bob can tweet in Alice's timeline. Can Bob > > > do that? This is almost being very stupid question, and the answer is: > > > IMPOSSIBLE, or possible with an 'if' ...? > > > > There are a couple scenarios. > > > > The thing that gets overlooked in these discussions is how these > > situations benefit the attacker. It's not a technical challenge, so > > there's no Cracker Glory in it. There's no money involved. Twitter could > > always return control of a hijacked account manually. It's a risk > > without reward. Most anyone suitably incentivized to run exploits would > > be better served by attacking the service as a whole anonymously than > > attacking one account. > > > > > To make long story short, I am developing a twitter client in C, and I > > > am implementing oauth with liboauth and I feel I do not deeply > > > understood of oauth in the case above (hijack vulnerability). > > > > If you use OAuth with a desktop client, you are distributing your > > secret key with the application. Users should not assume that an > > authorization request for your app is from their copy of the app > > unless they initiated the transaction. > > > > Chris Babcock >
