Yes. The risk is high with Desktop apps as Consumer secret/keys are distributed.
On Wed, Oct 14, 2009 at 8:04 PM, Dewald Pretorius <[email protected]> wrote: > > So this is a problem with web apps as well then. > > If User Bob authorized Web App to work on his account, and Phishing > Dude also authorizes his Web App account to work on User Bob's Twitter > account because he phished User Bob's Twitter username and password, > User Bob is blissfully unaware of that? > > Dewald > > On Oct 14, 11:27 am, srikanth reddy <[email protected]> > wrote: > > << Does User Bob see two separate entries for OAuth App Foo in his list > > of authorized apps in Twitter, or only one? >> > > > > Its only one. > > > > <<If he sees only one, how will he know that Phishing Dude has also > > authorized his own slimy copy of OAuth App Foo to work on User Bob's > > account? >> > > AFAIK there is no way to detect that. > > > > On Wed, Oct 14, 2009 at 5:29 PM, Dewald Pretorius <[email protected]> > wrote: > > > > > Here's another question. > > > > > User Bob installs OAuth App Foo on his desktop, and he authorizes > > > access to it. > > > > > Then he installs the app on his laptop and authorizes access to it. > > > > > Does User Bob see two separate entries for OAuth App Foo in his list > > > of authorized apps in Twitter, or only one? > > > > > If he sees two, how does he know which one is which? > > > > > If he sees only one, how will he know that Phishing Dude has also > > > authorized his own slimy copy of OAuth App Foo to work on User Bob's > > > account? > > > > > Dewald > > > > > On Oct 14, 4:46 am, Chris Babcock <[email protected]> wrote: > > > > On Tue, 13 Oct 2009 23:48:13 -0700 (PDT) > > > > > > ruckuus <[email protected]> wrote: > > > > > Is there anyone have an experience to hijack a twitter account? > > > > > > The security profile of a Twitter account is no different than that > of > > > > many other on-line services. The major weaknesses are signing in over > > > > HTTP, accepting insecure cookies for account modifications and > password > > > > 'reminders' (actually replacements) by email. > > > > > > > well, the story is really weird. There is a celebrity's account > > > > > hijacked (password stolen, etc), and then he created a new account, > > > > > the told the world that he could do something in his old account, > e.g. > > > > > sending a new tweet as usual. > > > > > > > This case is the same with: Bob can tweet in Alice's timeline. Can > Bob > > > > > do that? This is almost being very stupid question, and the answer > is: > > > > > IMPOSSIBLE, or possible with an 'if' ...? > > > > > > There are a couple scenarios. > > > > > > The thing that gets overlooked in these discussions is how these > > > > situations benefit the attacker. It's not a technical challenge, so > > > > there's no Cracker Glory in it. There's no money involved. Twitter > could > > > > always return control of a hijacked account manually. It's a risk > > > > without reward. Most anyone suitably incentivized to run exploits > would > > > > be better served by attacking the service as a whole anonymously than > > > > attacking one account. > > > > > > > To make long story short, I am developing a twitter client in C, > and I > > > > > am implementing oauth with liboauth and I feel I do not deeply > > > > > understood of oauth in the case above (hijack vulnerability). > > > > > > If you use OAuth with a desktop client, you are distributing your > > > > secret key with the application. Users should not assume that an > > > > authorization request for your app is from their copy of the app > > > > unless they initiated the transaction. > > > > > > Chris Babcock >
