On Thu, Oct 15, 2009 at 2:06 AM, Chris Babcock <[email protected]>wrote:
> > The situation in this scenario is that Mallory phished Bob's Twitter > credentials and used them to authorize access for himself with an OAuth > App that Bob also uses. Mallory can only be detected by the changes he > makes in the account; He cannot be detected by viewing the list of > OAuth apps with access to the account. Additionally, Mallory's access > does not disturb Bob's access to the account via the OAuth consumer App. > > Above are valid if only the credentials are not changed, either by Bob or . If in this case, Mallory changed Bob's credentials, will this disturb Bob's access to the account? > This scenario is largely equivalent to Mallory's posession of the > credentials themselves. The only difference is that Mallory retains > certain capabilities even if the credentials he obtained are changed. > > The real security profile for this scenario is that it adds an extra > layer of maintenance to be done by a user if a compromise is suspected. > In addition to changing passwords, Bob should cancel all other accesses > to his account and reauthorize those that are trusted and necessary. > > Chris Babcock > > > On Wed, 14 Oct 2009 20:17:48 +0530 > srikanth reddy <[email protected]> wrote: > > > Yes. The risk is high with Desktop apps as Consumer secret/keys are > > distributed. > > > > On Wed, Oct 14, 2009 at 8:04 PM, Dewald Pretorius <[email protected]> > > wrote: > > > > > > > > So this is a problem with web apps as well then. > > > > > > If User Bob authorized Web App to work on his account, and Phishing > > > Dude also authorizes his Web App account to work on User Bob's > > > Twitter account because he phished User Bob's Twitter username and > > > password, User Bob is blissfully unaware of that? > > > >
