Yes. The risk is high with Desktop apps as Consumer secret/keys are
distributed.

On Wed, Oct 14, 2009 at 8:04 PM, Dewald Pretorius <dpr...@gmail.com> wrote:

>
> So this is a problem with web apps as well then.
>
> If User Bob authorized Web App to work on his account, and Phishing
> Dude also authorizes his Web App account to work on User Bob's Twitter
> account because he phished User Bob's Twitter username and password,
> User Bob is blissfully unaware of that?
>
> Dewald
>
> On Oct 14, 11:27 am, srikanth reddy <srikanth.yara...@gmail.com>
> wrote:
> > << Does User Bob see two separate entries for OAuth App Foo in his list
> > of authorized apps in Twitter, or only one? >>
> >
> > Its only one.
> >
> > <<If he sees only one, how will he know that Phishing Dude has also
> > authorized his own slimy copy of OAuth App Foo to work on User Bob's
> > account? >>
> > AFAIK there is no way to detect that.
> >
> > On Wed, Oct 14, 2009 at 5:29 PM, Dewald Pretorius <dpr...@gmail.com>
> wrote:
> >
> > > Here's another question.
> >
> > > User Bob installs OAuth App Foo on his desktop, and he authorizes
> > > access to it.
> >
> > > Then he installs the app on his laptop and authorizes access to it.
> >
> > > Does User Bob see two separate entries for OAuth App Foo in his list
> > > of authorized apps in Twitter, or only one?
> >
> > > If he sees two, how does he know which one is which?
> >
> > > If he sees only one, how will he know that Phishing Dude has also
> > > authorized his own slimy copy of OAuth App Foo to work on User Bob's
> > > account?
> >
> > > Dewald
> >
> > > On Oct 14, 4:46 am, Chris Babcock <cbabc...@kolonelpanic.org> wrote:
> > > > On Tue, 13 Oct 2009 23:48:13 -0700 (PDT)
> >
> > > > ruckuus <ruck...@gmail.com> wrote:
> > > > > Is there anyone have an experience to hijack a twitter account?
> >
> > > > The security profile of a Twitter account is no different than that
> of
> > > > many other on-line services. The major weaknesses are signing in over
> > > > HTTP, accepting insecure cookies for account modifications and
> password
> > > > 'reminders' (actually replacements) by email.
> >
> > > > > well, the story is really weird. There is a celebrity's account
> > > > > hijacked (password stolen, etc), and then he created a new account,
> > > > > the told the world that he could do something in his old account,
> e.g.
> > > > > sending a new tweet as usual.
> >
> > > > > This case is the same with: Bob can tweet in Alice's timeline. Can
> Bob
> > > > > do that? This is almost being very stupid question, and the answer
> is:
> > > > > IMPOSSIBLE, or possible with an 'if' ...?
> >
> > > > There are a couple scenarios.
> >
> > > > The thing that gets overlooked in these discussions is how these
> > > > situations benefit the attacker. It's not a technical challenge, so
> > > > there's no Cracker Glory in it. There's no money involved. Twitter
> could
> > > > always return control of a hijacked account manually. It's a risk
> > > > without reward. Most anyone suitably incentivized to run exploits
> would
> > > > be better served by attacking the service as a whole anonymously than
> > > > attacking one account.
> >
> > > > > To make long story short, I am developing a twitter client in C,
> and I
> > > > > am implementing oauth with liboauth and I feel I do not deeply
> > > > > understood of oauth in the case above (hijack vulnerability).
> >
> > > > If you use OAuth with a desktop client, you are distributing your
> > > > secret key with the application. Users should not assume that an
> > > > authorization request for your app is from their copy of the app
> > > > unless they initiated the transaction.
> >
> > > > Chris Babcock
>

Reply via email to