On Thu, 15 Oct 2009 12:32:19 +0700 Dwi Sasongko Supriyadi <ruck...@gmail.com> wrote:
> Okay. If Mallory changed Bob's password after successfully get in, > Can Bob still access his account through his application (which is > authorized)? Yes, OAuth apps that have their own authentication context would still work for Bob. A change in Bob's Twitter password will not prevent the OAuth application from working. As long as Bob can prove that he is Bob to the application's satisfication then he can use that application and that application can use OAuth tokens that Bob previously authorized. > From your explanation above, the answer is no, it is > impossible. Since Bob cannot sign in anymore, Mallory has changed his > password. The application may or may not relay on Twitter itself to authenticate the Twitter user after it has obtained a token. While Twitter is kind enough to give us the "Sign-in with Twitter" work flow, OAuth does not specify the means by which the application should authenticate the user. Account hi-jacking is a minor risk; It is auditable and reversible. OAuth is low risk because it is being offered in parallel with HTTP methods that have known vulnerabilities. Twitter accounts are low risk targets because the content is public, transient and repudiatable. A threat model that over-emphasizes those risks reveals fundamental misperceptions about the Twitter meme that is going to result in disappointment when those misperceptions attempt to manifest themselves as a business model. Chris Babcock