OAuth No Guarantee Against Nefarious Behavior

« »

Twitter has implemented the OAuth login system, allowing for users to centrally control what sites have access to their Twitter accounts, without having to share their passwords with the third parties. This improvement means that there is less risk of the full account credentials being used nefariously, since the user has to log into the session and explicitly authorize the behavior.

But this doesn’t mean that individuals are completely safe from nefarious behavior at the hands of third-party application providers.

Take for example Twibbon. Twibbon is a service that allows you to place a badge on your Twitter icon. Many of my followers have used Twibbon to decorate with sports teams, frameworks they prefer, or other icons. I even used it to add a Clemson tiger paw to my icon for a bit. But Twibbon is evil.

But Twibbon does some pretty uncool things. First, as soon as you add the icon they post a tweet “on your behalf” announcing that you use Twibbon and suggesting that your followers should, too. They do not, of course, give the option to opt out of this behavior. That’s strike one.

Strike two was the discovery today that Twibbon also adds themselves to your follower list. That’s right – without asking, they automatically follow themselves with your account. This behavior is not well disclosed, either, nor can you opt out.

But for the third strike, they had to go one step further and do something completely nefarious and rude: they also take the liberty of marking their Twitter updates as updates that should be sent out via SMS. I discovered this trick when I was examining the list of people that I follow. I don’t have any updates sent to me via SMS, except for direct messages, because I don’t like using my text messages when I can just read tweets on my iPhone for free (using Tweetie).

Technically, Twibbon discloses most of this behavior. In little tiny letters, they tell you that they are going to tweet on your behalf and have you follow them. But the do not disclose that they will be signing you up for SMS updates.

Services like Twibbon provide value to Twitter, but they cannot be allowed to simply opt you into their marketing schemes on a whim. Not when they’re given read and write access to your account. OAuth helps keep nefarious behavior in check, but doesn’t prevent it altogether. Twitter needs to do more to ensure that services like Twibbon disclose and allow for the opt-out of these kinds of actions.

Brandon Savage is the author of Mastering Object Oriented PHP and Practical Design Patterns in PHP

Posted on 9/30/2009 at 6:00 pm
Categories: Uncategorized
Tags: ,

Pádraic Brady (@padraicb) wrote at 9/30/2009 6:54 pm:

There’s not really a whole lot Twitter can do to prevent misuse. I’ve always simply supported the approach of having the OAuth confirmation page (when you give your consent) spell out as clearly as possible the implications of your decisions. But, so long as write access is applied to the entire API of a service, without the possibility of more fine grained authorisation, this sort of misuse will always be possible.

Herman Radtke (@hermanradtke) wrote at 9/30/2009 9:44 pm:

OAuth is doing exactly what it claims to do: provide an authentication mechanism for two different parties to communicate. I don’t recall reading anything about it enforcing restrictions on what the two parties can or cannot do.

What Twibbon does after you allow them access is outside the scope of any authentication mechanism.

Joshua May (@notjosh) wrote at 10/1/2009 12:23 am:

It sounds like Twibbon does that as a one-off transaction when you perform the OAuth.

But for longer term recurring things (i.e. if an app keeps posting to your timeline), you can revoke its access at http://twitter.com/account/connections

Pádraic Brady (@padraicb) wrote at 10/1/2009 5:14 am:

@Herman Er, not so. OAuth has full support for scoping the granted authorisation – http://oauth.net/core/1.0a#anchor33. All that is required is a little work from the service provider to apply it. Unfortunately, most services simply apply a global authorisation or differentiate between two simple roles: read access, or read and write access. So OAuth can be used to limit access on a finer grained basis. Brandon’s assertion remains true – OAuth is not a guarantee and user beware.

Gerard wrote at 10/1/2009 11:11 am:

I’ve only recently been looking into OAuth and on the face of it I think it will be great for the computer literate but disasterous for lowest common denomenator and that could be it’s downfall.

It appears too whimsical to me, that said it is without a doubt far better than giving somebody your concrete credentials.

I look forward to test driving it with Twitter.

Herman Radtke (@hermanradtke) wrote at 10/1/2009 12:40 pm:

@padraicb From the link you provided: “By itself, OAuth does not provide any method for scoping the access rights granted to a Consumer.” I stand by my statement.

Pádraic Brady (@padraicb) wrote at 10/2/2009 6:51 am:

You said “I don’t recall reading anything about it enforcing restrictions on what the two parties can or cannot do.” Using scoping, OAuth may be used to enforce a restriction since the Consumer can cross match the authorisation token against the current scope and accept or decline the action presented. This is not built into the spec of course, it must be implemented by the provider.

Jonathan Joyce (@BrianBBrian) wrote at 10/9/2009 8:51 pm:

Hi Brandon, thanks for the blog post. Despite it being quite negative about our service we do genuinely appreciate the feedback.

As you say we do actually disclose the fact that as part of the process of supporting a cause you will send out a support tweet for the cause and follow the twibbon account. We would have to agree that specifically in relation to the notification settings it is not at all clear for users that they will have SMS updates enabled. Sincere apologies for this oversight. I assure you this was not a marketing ploy but an attempt to keep users informed of relevant activity on our service. You can see that we have used the Twibbon account very conservatively because we are aware of the balance between supporting users and spamming them.

Looking at our stats we can see that for an astonishing 99.999% of our users this setting will have no affect because they do not have notifications enabled.

As a result of your comments and in consideration of the limited number of users benefiting from this option we have decided to remove this feature.

Thanks for helping us refine the service. With Twibbon we adopted the ‘Ship It!’ approach to product development which means we depend on our users to help us in this way. We have always tried to ensure that we have enough resources to properly monitor and respond to feedback as it arises but we accept that this has not been a great experience for you.

« »

Copyright © 2023 by Brandon Savage. All rights reserved.