[Owasp-ireland] Twitter and OAuth

Peter McEvoy peter.m.mcevoy at gmail.com
Thu Sep 2 05:58:24 EDT 2010


Now that I've finally de-lurked, I thought I'd share my frustration at the
recent Twitter OAuth announcement.

When I first heard about it, I was thinking it was fantastic, and that
finally the great unwashed public would start to be taught what proper web
security looks like.

Next day, I discovered that my Twitterific for iPhone had stopped working
and, perversely, I was actually delighted about that too:  if you are gonna
enforce a standard, and the app writers haven't bothered to update, then
their loss (if only we could convince the public to let go of IE6).

So I thought that I'd download the approved and much touted TweetDeck for
iPhone.  Only to discover that during set up it asks for my password and
*authorizes itself*.  In fact, if I de-authorize the app on the website, I
discovered that the app can reauthorize itself *because TweetDeck stores the
password* - it does NOT ask me to re-enter.

What's the point in announcing that "Applications are no longer allowed to
store your password"  and "You can revoke access to any application at any
time from the [connections] list"  (their words).

One step forward, and two steps back...  (or maybe not _quite_ so
negative...)

Pete
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-ireland/attachments/20100902/8aba78c7/attachment.html 


More information about the Owasp-ireland mailing list