Last month Twitter officially started using OAuth for all third party authorization to user's data. What is OAuth and what does this mean to regular users?
OAuth is product of the Internet Engineering Task Force having an RFC number of 5849. It provides a method for users to authorize third party applications access to their resources without sharing their credentials. The protocol originated from the need to provide delegated access such as mashups to user controlled resources, the first version was released in 2007. It is now a widely used protocol by many web sites.
One good example is a web user granting a third party service provider such as photo printing service access to the user's private data (photos). In this scenario, the user doesn't need to share the credentials but just an authorization to access the private data.
The service provider is responsible for all the authentication with the third party. Typically, the third party signs up with the service provider and request specific access to the user's private data and the provider prompts the user to provide the specific authorization. Upon receiving the authorization, the provider lets the third party access the private data using an access token. Yahoo developer site provides an excellent overview of this authorization process.
Are there any known risk?
A recent article at Arstechnica talks about the insecurities of Twitter's OAuth implementation where the writer was able to compromise the secret OAuth key in Twitter's very own official client application for Android. Once the secret key is compromised, a token can be requested to provide access to user's data. Users unknowingly clicks on the authorization request, which exposes their private data.
Key takeaways
Key takeaway for the end users are
- Be aware of third party applications that you allow access to your data.
- You should periodically check what applications are installed and remove unnecessary ones.
- Also understand that changing password does not revoke access for these applications.
No comments:
Post a Comment