It is not impossible. It is still possible for Bob to use the same oAuth App
(even if Mallory has changed his credentials) given that Mallory has not
revoked the access to same oAuth app. As Chris pointed out, the application
may not authenticate a twitter user after it has obtained the tokens. In
this case the application would use the same old token for Bob.


On Thu, Oct 15, 2009 at 11:02 AM, Dwi Sasongko Supriyadi
<ruck...@gmail.com>wrote:

>
>
> On Thu, Oct 15, 2009 at 11:15 AM, srikanth reddy <
> srikanth.yara...@gmail.com> wrote:
>
>> @chris
>> Okay. I was talking about different scenario (using oAuth apps to steal
>> user info)
>> But If credentials are stolen then its all over (it doesn't matter which
>> oAuth app you have authorized)
>>
>> @sasongoko.
>> If Bob manages to change his password after Mallory used Bob's old
>> credentials to authorize an oAuth app (same or different) then Mallory can
>> still have some sort of access to Bob's account. To prevent this , Bob is
>> required to change his password and must revoke the access to all the
>> suspicious oAuth apps.
>>
>>
> Okay. If Mallory changed Bob's password after successfully get in, Can Bob
> still access his account through his application (which is authorized)? From
> your explanation above, the answer is no, it is impossible. Since Bob cannot
> sign in anymore, Mallory has changed his password.
>
>
>> On Thu, Oct 15, 2009 at 9:19 AM, Dwi Sasongko Supriyadi <
>> ruck...@gmail.com> wrote:
>>
>>>
>>>
>>> On Thu, Oct 15, 2009 at 2:06 AM, Chris Babcock <
>>> cbabc...@kolonelpanic.org> wrote:
>>>
>>>>
>>>> The situation in this scenario is that Mallory phished Bob's Twitter
>>>> credentials and used them to authorize access for himself with an OAuth
>>>> App that Bob also uses. Mallory can only be detected by the changes he
>>>> makes in the account; He cannot be detected by viewing the list of
>>>> OAuth apps with access to the account. Additionally, Mallory's access
>>>> does not disturb Bob's access to the account via the OAuth consumer App.
>>>>
>>>>
>>> Above are valid if only the credentials are not changed, either by Bob or
>>> .
>>>
>>> If in this case, Mallory changed Bob's credentials, will this disturb
>>> Bob's access to the account?
>>>
>>>
>>>> This scenario is largely equivalent to Mallory's posession of the
>>>> credentials themselves. The only difference is that Mallory retains
>>>> certain capabilities even if the credentials he obtained are changed.
>>>>
>>>> The real security profile for this scenario is that it adds an extra
>>>> layer of maintenance to be done by a user if a compromise is suspected.
>>>> In addition to changing passwords, Bob should cancel all other accesses
>>>> to his account and reauthorize those that are trusted and necessary.
>>>>
>>>> Chris Babcock
>>>>
>>>>
>>>> On Wed, 14 Oct 2009 20:17:48 +0530
>>>> srikanth reddy <srikanth.yara...@gmail.com> wrote:
>>>>
>>>> > Yes. The risk is high with Desktop apps as Consumer secret/keys are
>>>> > distributed.
>>>> >
>>>> > On Wed, Oct 14, 2009 at 8:04 PM, Dewald Pretorius <dpr...@gmail.com>
>>>> > wrote:
>>>> >
>>>> > >
>>>> > > So this is a problem with web apps as well then.
>>>> > >
>>>> > > If User Bob authorized Web App to work on his account, and Phishing
>>>> > > Dude also authorizes his Web App account to work on User Bob's
>>>> > > Twitter account because he phished User Bob's Twitter username and
>>>> > > password, User Bob is blissfully unaware of that?
>>>> > >
>>>>
>>>
>>>
>>
>

Reply via email to