On Thu, 15 Oct 2009 12:32:19 +0700
Dwi Sasongko Supriyadi ruck...@gmail.com wrote:
Okay. If Mallory changed Bob's password after successfully get in,
Can Bob still access his account through his application (which is
authorized)?
Yes, OAuth apps that have their own authentication context
It is not impossible. It is still possible for Bob to use the same oAuth App
(even if Mallory has changed his credentials) given that Mallory has not
revoked the access to same oAuth app. As Chris pointed out, the application
may not authenticate a twitter user after it has obtained the tokens. In
On Tue, 13 Oct 2009 23:48:13 -0700 (PDT)
ruckuus ruck...@gmail.com wrote:
Is there anyone have an experience to hijack a twitter account?
The security profile of a Twitter account is no different than that of
many other on-line services. The major weaknesses are signing in over
HTTP, accepting
On Oct 14, 2:46 pm, Chris Babcock cbabc...@kolonelpanic.org wrote:
On Tue, 13 Oct 2009 23:48:13 -0700 (PDT)
ruckuus ruck...@gmail.com wrote:
Is there anyone have an experience to hijack a twitter account?
The security profile of a Twitter account is no different than that of
many other
Here's another question.
User Bob installs OAuth App Foo on his desktop, and he authorizes
access to it.
Then he installs the app on his laptop and authorizes access to it.
Does User Bob see two separate entries for OAuth App Foo in his list
of authorized apps in Twitter, or only one?
If he
Does User Bob see two separate entries for OAuth App Foo in his list
of authorized apps in Twitter, or only one?
Its only one.
If he sees only one, how will he know that Phishing Dude has also
authorized his own slimy copy of OAuth App Foo to work on User Bob's
account?
AFAIK there is no way
So this is a problem with web apps as well then.
If User Bob authorized Web App to work on his account, and Phishing
Dude also authorizes his Web App account to work on User Bob's Twitter
account because he phished User Bob's Twitter username and password,
User Bob is blissfully unaware of that?
Yes. The risk is high with Desktop apps as Consumer secret/keys are
distributed.
On Wed, Oct 14, 2009 at 8:04 PM, Dewald Pretorius dpr...@gmail.com wrote:
So this is a problem with web apps as well then.
If User Bob authorized Web App to work on his account, and Phishing
Dude also
The situation in this scenario is that Mallory phished Bob's Twitter
credentials and used them to authorize access for himself with an OAuth
App that Bob also uses. Mallory can only be detected by the changes he
makes in the account; He cannot be detected by viewing the list of
OAuth apps with
On Thu, Oct 15, 2009 at 2:06 AM, Chris Babcock cbabc...@kolonelpanic.orgwrote:
The situation in this scenario is that Mallory phished Bob's Twitter
credentials and used them to authorize access for himself with an OAuth
App that Bob also uses. Mallory can only be detected by the changes he
@chris
Okay. I was talking about different scenario (using oAuth apps to steal user
info)
But If credentials are stolen then its all over (it doesn't matter which
oAuth app you have authorized)
@sasongoko.
If Bob manages to change his password after Mallory used Bob's old
credentials to authorize
On Thu, Oct 15, 2009 at 11:15 AM, srikanth reddy srikanth.yara...@gmail.com
wrote:
@chris
Okay. I was talking about different scenario (using oAuth apps to steal
user info)
But If credentials are stolen then its all over (it doesn't matter which
oAuth app you have authorized)
@sasongoko.
12 matches
Mail list logo