Twitter’s flawed OAuth implementation

14. September 2010 · Comments Off on Twitter’s flawed OAuth implementation · Categories: Authentication · Tags: , ,

I meant to post this last week. Ryan Paul at ars technica wrote an important article detailing the flaws in Twitter’s implementation of OAuth. This is serious because it is the only method for “users to grant a third-party application access to their account without having to provide that application with their credentials.” He also details the flaws of OAuth 1.0a, but holds out hope for OAuth 2.0, which the IETF is currently working on. Let’s hope they get it right this time.

Twitter officially disabled Basic authentication this week, the final step in the company’s transition to mandatory OAuth authentication. Sadly, Twitter’s extremely poor implementation of the OAuth standard offers a textbook example of how to do it wrong. This article will explore some of the problems with Twitter’s OAuth implementation and some potential pitfalls inherent to the standard. I will also show you how I managed to compromise the secret OAuth key in Twitter’s very own official client application for Android.

The article goes on to trash OAuth 1.0a as well:

…OAuth 1.0a is a horrible solution to a very difficult problem. It works acceptably well for server-to-server authentication, but there are far too many unresolved issues in the current specification for it to be used as-is on a widespread basis for desktop applications. It’s simply not mature enough yet.

There is hope though:

I think that OAuth 2.0—the next version of the standard—will address many of the problems and will make it safer and more suitable for adoption. The current IETF version of the 2.0 draft still requires a lot of work, however. It still doesn’t really provide guidance on how to handle consumer secret keys for desktop applications, for example. In light of the heavy involvement in the draft process by Facebook’s David Recordon, I’m really hopeful that the official standard will adopt Facebook’s sane and reasonable approach to that problem.

Finally:

Although I think that OAuth is salvageable and may eventually live up to the hype, my opinion of Twitter is less positive. The service seriously botched its OAuth implementation and demonstrated, yet again, that it lacks the engineering competence that is needed to reliably operate its service. Twitter should review the OAuth standard and take a close look at how Google and Facebook are using OAuth for guidance about the proper approach.