[Owasp-ireland] Twitter and OAuth
peter.m.mcevoy at gmail.com
Thu Sep 2 05:58:24 EDT 2010
Now that I've finally de-lurked, I thought I'd share my frustration at the
recent Twitter OAuth announcement.
When I first heard about it, I was thinking it was fantastic, and that
finally the great unwashed public would start to be taught what proper web
security looks like.
Next day, I discovered that my Twitterific for iPhone had stopped working
and, perversely, I was actually delighted about that too: if you are gonna
enforce a standard, and the app writers haven't bothered to update, then
their loss (if only we could convince the public to let go of IE6).
So I thought that I'd download the approved and much touted TweetDeck for
iPhone. Only to discover that during set up it asks for my password and
*authorizes itself*. In fact, if I de-authorize the app on the website, I
discovered that the app can reauthorize itself *because TweetDeck stores the
password* - it does NOT ask me to re-enter.
What's the point in announcing that "Applications are no longer allowed to
store your password" and "You can revoke access to any application at any
time from the [connections] list" (their words).
One step forward, and two steps back... (or maybe not _quite_ so
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-ireland