The situation in this scenario is that Mallory phished Bob's Twitter credentials and used them to authorize access for himself with an OAuth App that Bob also uses. Mallory can only be detected by the changes he makes in the account; He cannot be detected by viewing the list of OAuth apps with access to the account. Additionally, Mallory's access does not disturb Bob's access to the account via the OAuth consumer App.
This scenario is largely equivalent to Mallory's posession of the credentials themselves. The only difference is that Mallory retains certain capabilities even if the credentials he obtained are changed. The real security profile for this scenario is that it adds an extra layer of maintenance to be done by a user if a compromise is suspected. In addition to changing passwords, Bob should cancel all other accesses to his account and reauthorize those that are trusted and necessary. Chris Babcock On Wed, 14 Oct 2009 20:17:48 +0530 srikanth reddy <[email protected]> wrote: > Yes. The risk is high with Desktop apps as Consumer secret/keys are > distributed. > > On Wed, Oct 14, 2009 at 8:04 PM, Dewald Pretorius <[email protected]> > wrote: > > > > > So this is a problem with web apps as well then. > > > > If User Bob authorized Web App to work on his account, and Phishing > > Dude also authorizes his Web App account to work on User Bob's > > Twitter account because he phished User Bob's Twitter username and > > password, User Bob is blissfully unaware of that? > >
