The problems of Twitter with their OAuth implementation have made the headlines, and a full analysis can be found on Ars Technica. The (very) basic idea of the first issue highlighted in this article is as follows:
- Twitter provides “secret keys” (more like API keys) to developers.
- When a key is compromised, it is revoked, and applications that use it stop working.
- Since the key is usually embedded in applications, a new version of the application then needs to be distributed.
This confidentiality requirement is quite stringent, especially because it is very hard to hide something in the code of an application. This actually gets confirmed when the article states that finding the key in Twitter’s offical Android application only required unpacking the binary file and “grep”-ing for strings. I did not have the courage to check that, and the process may actually be more difficult than a simple search. However, as an evaluator, I know that hiding a secret in a (clear-text) application is far from easy, and that the use of verifiable bytecode makes things only worse, because of the guarantees it provides. So we can be sure that the keys would come out in less than a day’s work from somebody with the right tools and skills.
In the end, this allows us to make great denial-of-service attacks. Simply wait until your favorite competitor releases his Twitter client, then publish his key, and make Twitter disable the client. It is a classical application of the fact that too much security can create its own security issues.
But the problems don’t stop there. According to the same article, Twitter doesn’t ask for any credential to provide a secret key to a a Twitter app. And when authentication is required, the language used in the dialog doesn’t leave any room to doubt. This is a very nice tool for phishers, who can easily take somebody else’s identity.
This combination is typical of a very common security behavior: if we focus too much on one aspect of security (making sure that secrets remain secrets), we tend to forget about others (who can get the secrets). And I think that we all do it all the times.
On the other hand, Twitter has just launched t.co, which looks like a much more significant move. And their founder has sound objectives.
No Comments