• Speaking
  • Downloads
  • About Talking Identity
  • About Me

The Dilemma of the OAuth Token Collector

  • Posted on:February 5, 2013
  • Posted in:Personal Identity Management
  • Posted by:Nishant Kaushik
6

‘Tis the season to be hacked, I guess. Twitter joined a bunch of other companies in revealing that it was the target of a sophisticated attack that may have exposed the information for about 250,000 users. While the data that was allegedly exposed, including encrypted/salted versions of passwords, was not as bad as in some other attacks recently, Twitter did take some proactive measures in resetting passwords (and letting the users know that they need to set a new one) and revoking session tokens. And in what is quickly becoming a sad industry pattern for websites that get hacked, it is now considering adding two factor authentication.

But what is far more interesting to consider are the ramifications this hack and Twitters response measures have had (or not had, depending on who you talk to) on the ecosystem that integrates with Twitter via it’s OAuth implementation. This article brought up the fact that 3rd party apps authorized to interact with Twitter are still able to tweet despite the passwords being reset. In other words, the resetting of the password had no impact on whether they still had access to the account. Why is this important? Because if you consider one of the possible motives behind the hack, the attacker could have used the time that they had control of the account to add an additional application (a Twitter client like Hootsuite, for example) to the list of authorized applications by going through the flow and issuing an OAuth token. Now, even after the password has been reset by Twitter and control of the account restored to its rightful owner, the attacker still has access to the Twitter account through that app. They are therefore able to send out tweets as that account, which would probably get noticed and caught pretty quickly (though an unsophisticated user may not know how to tackle it, and might just re-reset their password and think that it will fix the issue). Or worse, the attacker could simply spy undetected on the direct messages for that account, for a very long time. In this brand driven world of celebrities, politicians and corporations increasingly built on Twitter, think of the significant damage that could be done.

And you can extrapolate from this issues that could arise in the case of mobile apps in the enterprise. What impact does cutting off SSO access or changing an account password have on the access that an app a user installed on their mobile device has? BYOD has made this a very real challenge for your IAM program.

So, what should have been done here?

Should the password reset have automatically revoked the OAuth token for every single authorized app? If you’re like Paul here, that may be a huge inconvenience.

Madsen54Apps

Paul may be an extreme example (unkinder words have been uttered for him). But in a world where we all have multiple services and multiple devices that we use to access Twitter, the number can get up there pretty quickly. I checked my number, and it turned out to be 13, but that’s with me being pretty ruthless about going in and removing stuff I haven’t used in a while. This led to a nice little discussion on Twitter (which I captured), but no consensus on a solution.

My perspective is that since it is usually hard to pinpoint the exact time at which an account got compromised, all tokens should be immediately revoked. This is especially relevant in scenarios where a targeted individual (as opposed to a whole group of users) gets hacked. And yes, it may be painful to have to go through and reauthorize all your apps, but it will at least get you to clean up those apps (and maybe come d0wn to a more reasonable number, Paul). I’ve written in the past that reviewing which 3rd party apps have access to your cloud services on a periodic basis is a crucial step to maintaining your security posture. And as you can see from the feedback message Paul got when he changed his password, Twitter did ask him to do just that.

As for what other measures are needed to handle this in the enterprise? That’s the topic for a whole other blog post.

(Infographic from Geraldes’s Blog)

Be Sociable, Share!

Tags: Hack AttackOAuthPasswords Must DieToken ManagementTwitter
  • http://twitter.com/independentid Phil Hunt

    Would have thought the only tokens that need to be revoked are those issued recently after the suspected password compromise. A compromise of the password does not retroactively compromise tokens.

  • Anonymous

    Phil, as I noted in my response to Paul, the service provider (Twitter in this case) may not always know when the breach occurred. If there is a way to do a more targeted revocation based on data, then I’m all for it.

  • http://twitter.com/ryan_blain Ryan Blain

    Great post. I’ll be spending a good part of my day considering the ramifications (thanks?). One could argue that Twitter was able to pinpoint the exact time in this case though, and that such pinpointing is more common than not. However, that certainly shouldn’t discount the points you make.

    I’m really curious how only 250k accounts were exposed though. Any insight into what was compromised?

  • Anonymous

    You’re right.In this case Twitter probably had a general idea of the timeline of the breach. So a targeting revocation would be possible, IF they have that capability. I would reasonably guess that most services don’t design for that.
    No insight into the specifics of the breach yet. Looking to find out more, but not holding out hope.

  • Anonymous

    My guess is that only an identity geek would actually survey with dismay the idea of proactively re-authorizing all the apps after Twitter kills tokens. Everyone else on the planet will just go about their regular routine, happy in their oblivion, and be challenged for their password when one of the previously authenticated apps attempts to access twitter and fails. They probably won’t even link the twitter hack with the password prompt. Apps slowly get reauthorized over time, and everybody lives happily ever after…

  • Anonymous

    Good point Pam. Call it natural selection.

Recent Posts

The Conundrum of 2FA meets the Enigma that is PAM
"It's a mystery. Broken into a jigsaw puzzle. Wrapped in a conun...
The Dilemma of the OAuth Token Collector
'Tis the season to be hacked, I guess. Twitter joined a bunch of...
Why 2013 will be 'The Year of the SCUID'
I'm just now coming back to earth from the high I've been on sin...
The IDaaS Powered World
Last week I was in Colorado for the Defrag and Blur conferences....
What Happens When Telco's Declare SMS 'Unsafe'?
If you've been following Authentication related discussions, you...

Recent Comments

Bob Pinheiro on
The Conundrum of 2FA meets the Enigma that is PAM
8 weeks ago

NishantKaushik on
The IDaaS Powered World
8 weeks ago

Nikolaj Ivancic on
The IDaaS Powered World
16 weeks ago

on
The Dilemma of the OAuth Token Collector
18 weeks ago

on
The Dilemma of the OAuth Token Collector
18 weeks ago

Tags

Application-Centric IdM Burton Catalyst Conference Cloud Computing Cloud Identity Model Facebook Federated Provisioning Identity Governance Identity Governance Framework Identity in Social Networking Identity Management Identity Services IGF OpenID Oracle Identity Management Oracle Identity Manager Oracle OpenWorld Oracle_IDM Password Management Personal Identity Management Privacy Provisioning Risk Management Role Management Service-Oriented Security User-Centric Identity

Connect

Twitter Follow @NishantK

LinkedIn Connect on LinkedIn

Slideshare View Nishant's Presentations

About Me nishantkaushik.com

Categories

  • Ask Dr. K (11)
  • Identity Services (36)
  • Identropy IDaaS (2)
  • Insight IdM (124)
  • Oracle Identity Management (61)
  • Personal Identity Management (32)
  • The Cloud Identity Series (17)
  • Tips & Techniques (4)
  • User-Centric Identity (24)

Archives

  • ► 2013 (3)
    • April (1)
    • February (1)
    • January (1)
  • ► 2012 (13)
    • November (2)
    • August (3)
    • July (2)
    • June (2)
    • May (1)
    • February (3)
  • ► 2011 (29)
    • December (1)
    • November (1)
    • October (1)
    • September (2)
    • August (3)
    • July (4)
    • June (5)
    • May (3)
    • April (4)
    • February (2)
    • January (3)
  • ► 2010 (33)
    • December (1)
    • October (1)
    • September (4)
    • August (5)
    • July (6)
    • June (4)
    • May (3)
    • April (2)
    • March (3)
    • February (2)
    • January (2)
  • ► 2009 (24)
    • December (1)
    • November (1)
    • October (3)
    • September (3)
    • August (4)
    • July (2)
    • June (2)
    • May (3)
    • April (1)
    • February (2)
    • January (2)
  • ► 2008 (44)
    • December (1)
    • October (4)
    • September (4)
    • August (8)
    • July (11)
    • June (4)
    • May (2)
    • April (2)
    • March (3)
    • February (3)
    • January (2)
  • ► 2007 (56)
    • December (3)
    • November (5)
    • October (6)
    • September (5)
    • August (8)
    • July (5)
    • June (9)
    • May (3)
    • April (2)
    • March (5)
    • February (5)
  • ► 2006 (33)
    • December (4)
    • November (2)
    • October (6)
    • September (1)
    • August (2)
    • July (3)
    • June (5)
    • May (3)
    • April (2)
    • March (5)

Disclaimer

Talking Identity is my exploration of the world of Identity Management. The views expressed on this blog are my own and do not necessarily reflect the views of Identropy (doesn't mean I'm not trying hard to mold them in my own image).

Copyright © 2005-2013 Nishant Kaushik. All Rights Reserved.