[liberationtech] UPDATE - Re: potentially major security flaw in twitter
Brian Conley
brianc at smallworldnews.tv
Thu Dec 22 11:46:13 PST 2011
I forgot to mention, to solve this issue you must go into the settings
section of your account and revoke access to older mobile devices or those
which have become compromised. This is also where you would revoke access
to generally far less compromising "applications" such as "tweet cloud" or
"klout." It appears to me the first issue here is the failure of twitter to
consider the necessity of distinguishing between applications that allow
complete access to your twitter account, such as Twitter for Android or
Twitter for iPad, and applications that serve to do fun things with your
account or allow you to analyze your account and measure it against others,
such as the aforementioned apps.
Brian
On Thu, Dec 22, 2011 at 11:29 AM, Brian Conley <brianc at smallworldnews.tv>wrote:
> Hi all,
>
> So an update. Essentially I've run into what some of you have probably
> previously mentioned, the impact of the OAuth protocol.
>
> For an uninformed user of twitter, OAuth can cause them to provide access
> to their twitter account from secondary devices even after changing
> passwords at the source.
>
> Obviously this has huge implications for citizen journalists, activists,
> and human rights workers among others. Anyone who is detained and whose
> twitter passwords become compromised (as well as other applications, i'm
> guessing the facebook app for iPad also uses OAUTH, though it may just
> store the password) is at risk of providing ongoing access to these apps if
> they fail to remove the OAuth authorization after changing their passwords.
>
> Does anyone know of resources that have been produced to raise awareness
> about this issue, or similar issues? I'm wondering whether Small World News
> should put some effort into developing a more comprehensive social media
> security 101 that considers these technical issues as well as general best
> practices?
>
> Regards
>
> Brian
>
> On Wed, Dec 21, 2011 at 5:38 PM, Brian Conley <brianc at smallworldnews.tv>wrote:
>
>> Hi all,
>>
>> So I don't really want to broadcast this to an entire list of people whom
>> I don't know, but I've found what is potentially a huge flaw in twitter's
>> security architecture. Can any of you connect me directly with someone at
>> Twitter who is involved with security?
>>
>> I will be happy to brief the list once its fixed.
>>
>> Brian
>>
>> --
>>
>>
>>
>> Brian Conley
>>
>> Director, Small World News
>>
>> http://smallworldnews.tv
>>
>> m: 646.285.2046
>>
>> Skype: brianjoelconley
>>
>> public key:
>> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE827FACCB139C9F0
>>
>>
>
>
> --
>
>
>
> Brian Conley
>
> Director, Small World News
>
> http://smallworldnews.tv
>
> m: 646.285.2046
>
> Skype: brianjoelconley
>
> public key:
> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE827FACCB139C9F0
>
>
--
Brian Conley
Director, Small World News
http://smallworldnews.tv
m: 646.285.2046
Skype: brianjoelconley
public key:
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE827FACCB139C9F0
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20111222/9c22558a/attachment.html>
More information about the liberationtech
mailing list