Potentially Major Security Flaw in Twitter

Donate for the Cryptome archive of 65.000 files from June 1996 to the present

23 December 2011

Potentially Major Security Flaw in Twitter

Date: Fri, 23 Dec 2011 09:46:43 +0100
From: Eugen Leitl <eugen[at]leitl.org>
To: cypherpunks[at]al-qaeda.net
Subject: [liberationtech] UPDATE - Re: potentially major security flaw in twitter

----- Forwarded message from Brian Conley <brianc[at]smallworldnews.tv> -----

From: Brian Conley <brianc[at]smallworldnews.tv>
Date: Thu, 22 Dec 2011 11:29:40 -0800
To: Liberation Technologies <liberationtech[at]lists.stanford.edu>
Subject: [liberationtech] UPDATE - Re: potentially major security flaw in twitter

Hi all,

So an update. Essentially I've run into what some of you have probably
previously mentioned, the impact of the OAuth protocol.

For an uninformed user of twitter, OAuth can cause them to provide access
to their twitter account from secondary devices even after changing
passwords at the source.

Obviously this has huge implications for citizen journalists, activists,
and human rights workers among others. Anyone who is detained and whose
twitter passwords become compromised (as well as other applications, i'm
guessing the facebook app for iPad also uses OAUTH, though it may just
store the password) is at risk of providing ongoing access to these apps if
they fail to remove the OAuth authorization after changing their passwords.

Does anyone know of resources that have been produced to raise awareness
about this issue, or similar issues? I'm wondering whether Small World News
should put some effort into developing a more comprehensive social media
security 101 that considers these technical issues as well as general best
practices?

Regards

Brian

On Wed, Dec 21, 2011 at 5:38 PM, Brian Conley <brianc[at]smallworldnews.tv>wrote:

> Hi all,
>
> So I don't really want to broadcast this to an entire list of people whom
> I don't know, but I've found what is potentially a huge flaw in twitter's
> security architecture. Can any of you connect me directly with someone at
> Twitter who is involved with security?
>
> I will be happy to brief the list once its fixed.
>
> Brian
>
> --
>
> Brian Conley
> Director, Small World News
> http://smallworldnews.tv
> m: 646.285.2046
> Skype: brianjoelconley
> public key: http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0xE827FACCB139C9F0

_______________________________________________
liberationtech mailing list
liberationtech[at]lists.stanford.edu

Should you need to change your subscription options, please go to:

https://mailman.stanford.edu/mailman/listinfo/liberationtech

If you would like to receive a daily digest, click "yes" (once you click above) next to "would you like to receive list mail batched in a daily digest?"

You will need the user name and password you receive from the list moderator in monthly reminders.

Should you need immediate assistance, please contact the list moderator.

Please don't forget to follow us on http://twitter.com/#!/Liberationtech

----- End forwarded message -----
--
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE