[liberationtech] UPDATE - Re: potentially major security flaw in twitter
Brian Conley
brianc at smallworldnews.tv
Thu Dec 22 11:29:40 PST 2011
Hi all,
So an update. Essentially I've run into what some of you have probably
previously mentioned, the impact of the OAuth protocol.
For an uninformed user of twitter, OAuth can cause them to provide access
to their twitter account from secondary devices even after changing
passwords at the source.
Obviously this has huge implications for citizen journalists, activists,
and human rights workers among others. Anyone who is detained and whose
twitter passwords become compromised (as well as other applications, i'm
guessing the facebook app for iPad also uses OAUTH, though it may just
store the password) is at risk of providing ongoing access to these apps if
they fail to remove the OAuth authorization after changing their passwords.
Does anyone know of resources that have been produced to raise awareness
about this issue, or similar issues? I'm wondering whether Small World News
should put some effort into developing a more comprehensive social media
security 101 that considers these technical issues as well as general best
practices?
Regards
Brian
On Wed, Dec 21, 2011 at 5:38 PM, Brian Conley <brianc at smallworldnews.tv>wrote:
> Hi all,
>
> So I don't really want to broadcast this to an entire list of people whom
> I don't know, but I've found what is potentially a huge flaw in twitter's
> security architecture. Can any of you connect me directly with someone at
> Twitter who is involved with security?
>
> I will be happy to brief the list once its fixed.
>
> Brian
>
> --
>
>
>
> Brian Conley
>
> Director, Small World News
>
> http://smallworldnews.tv
>
> m: 646.285.2046
>
> Skype: brianjoelconley
>
> public key:
> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE827FACCB139C9F0
>
>
--
Brian Conley
Director, Small World News
http://smallworldnews.tv
m: 646.285.2046
Skype: brianjoelconley
public key:
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE827FACCB139C9F0
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20111222/b1418a12/attachment.html>
More information about the liberationtech
mailing list