On 4/23/09 4:44 AM, twitscoop wrote:
Anyways, even with this security flow, oauth is safer than providing twitter credentials to third parties...
This is _absolutely_ NOT true! An attacker can't get in the middle of an application communicating to Twitter using HTTP Basic Auth. but they can in an OAuth flow.
It's only "safer" in that you're not handing credentials to an otherwise questionable third-party application. However, if you do trust a third-party application and it uses OAuth, there is a non-zero chance that an attacker can gain access to your Twitter account, without needing your username or password, through the OAuth flow of your use of the trusted application.
-- Dossy Shiobara | do...@panoptic.com | http://dossy.org/ Panoptic Computer Network | http://panoptic.com/ "He realized the fastest way to change is to laugh at your own folly -- then you can let go and quickly move on." (p. 70)
