So this is a problem with web apps as well then. If User Bob authorized Web App to work on his account, and Phishing Dude also authorizes his Web App account to work on User Bob's Twitter account because he phished User Bob's Twitter username and password, User Bob is blissfully unaware of that?
Dewald On Oct 14, 11:27 am, srikanth reddy <[email protected]> wrote: > << Does User Bob see two separate entries for OAuth App Foo in his list > of authorized apps in Twitter, or only one? >> > > Its only one. > > <<If he sees only one, how will he know that Phishing Dude has also > authorized his own slimy copy of OAuth App Foo to work on User Bob's > account? >> > AFAIK there is no way to detect that. > > On Wed, Oct 14, 2009 at 5:29 PM, Dewald Pretorius <[email protected]> wrote: > > > Here's another question. > > > User Bob installs OAuth App Foo on his desktop, and he authorizes > > access to it. > > > Then he installs the app on his laptop and authorizes access to it. > > > Does User Bob see two separate entries for OAuth App Foo in his list > > of authorized apps in Twitter, or only one? > > > If he sees two, how does he know which one is which? > > > If he sees only one, how will he know that Phishing Dude has also > > authorized his own slimy copy of OAuth App Foo to work on User Bob's > > account? > > > Dewald > > > On Oct 14, 4:46 am, Chris Babcock <[email protected]> wrote: > > > On Tue, 13 Oct 2009 23:48:13 -0700 (PDT) > > > > ruckuus <[email protected]> wrote: > > > > Is there anyone have an experience to hijack a twitter account? > > > > The security profile of a Twitter account is no different than that of > > > many other on-line services. The major weaknesses are signing in over > > > HTTP, accepting insecure cookies for account modifications and password > > > 'reminders' (actually replacements) by email. > > > > > well, the story is really weird. There is a celebrity's account > > > > hijacked (password stolen, etc), and then he created a new account, > > > > the told the world that he could do something in his old account, e.g. > > > > sending a new tweet as usual. > > > > > This case is the same with: Bob can tweet in Alice's timeline. Can Bob > > > > do that? This is almost being very stupid question, and the answer is: > > > > IMPOSSIBLE, or possible with an 'if' ...? > > > > There are a couple scenarios. > > > > The thing that gets overlooked in these discussions is how these > > > situations benefit the attacker. It's not a technical challenge, so > > > there's no Cracker Glory in it. There's no money involved. Twitter could > > > always return control of a hijacked account manually. It's a risk > > > without reward. Most anyone suitably incentivized to run exploits would > > > be better served by attacking the service as a whole anonymously than > > > attacking one account. > > > > > To make long story short, I am developing a twitter client in C, and I > > > > am implementing oauth with liboauth and I feel I do not deeply > > > > understood of oauth in the case above (hijack vulnerability). > > > > If you use OAuth with a desktop client, you are distributing your > > > secret key with the application. Users should not assume that an > > > authorization request for your app is from their copy of the app > > > unless they initiated the transaction. > > > > Chris Babcock
