On Thu, 15 Oct 2009 12:32:19 +0700
Dwi Sasongko Supriyadi <ruck...@gmail.com> wrote:

> Okay. If Mallory changed Bob's password after successfully get in,
> Can Bob still access his account through his application (which is
> authorized)? 

Yes, OAuth apps that have their own authentication context would still work
for Bob. A change in Bob's Twitter password will not prevent the OAuth
application from working. As long as Bob can prove that he is Bob to
the application's satisfication then he can use that application and
that application can use OAuth tokens that Bob previously authorized.

> From your explanation above, the answer is no, it is
> impossible. Since Bob cannot sign in anymore, Mallory has changed his
> password.

The application may or may not relay on Twitter itself to authenticate
the Twitter user after it has obtained a token. While Twitter is kind
enough to give us the "Sign-in with Twitter" work flow, OAuth does not
specify the means by which the application should authenticate the user.

Account hi-jacking is a minor risk; It is auditable and reversible.
OAuth is low risk because it is being offered in parallel with HTTP
methods that have known vulnerabilities. Twitter accounts are low risk
targets because the content is public, transient and repudiatable.

A threat model that over-emphasizes those risks reveals fundamental
misperceptions about the Twitter meme that is going to result in
disappointment when those misperceptions attempt to manifest themselves
as a business model.

Chris Babcock

Reply via email to