Thursday, May 20, 2010

Using 'Sign in with Twitter' ??? Read this then - You may be NOT safe



There are many application enabled for 'Sign in with Twiiter'.

http://www.twitpic.com/, http://micromobs.com/ are few to name.

Once you click on 'Sign in with Twiiter' - you are redirected to http://twitter.com/oauth/authorize page following the OAuth protocol, where you need to authorize access to the particular relying party application.

By this time, if you haven't logged in to Twitter directly, then you are asked to enter Twitter credentials as well.

These credentials are passed over the wire in clear text.

Following, I captured using Wireshark - there you can see the username and twitter password in clear text. [ I have replaced my original password with XXXXX]

authenticity_token=833dc4385cf064eea29a2ae9faddbc4ae3903659&oauth_token=O1K0VwKaFBJMDYA9f7qr53D6tqLNj4WBFmMmCONnmkI&session%5Busername_or_email%5D=prabath&session%5Bpassword%5D=XXXXX

But, when you directly login to Twitter through http://twitter.com/login - there it uses HTTPS - so you are safe.

So - if you are using 'Sign in with Twitter' - anywhere, I would rather recommend you login to Twitter directly via http://twitter.com/login and then click on 'Sign in with Twitter' link on the corresponding web site. Then you are not asked to authenticate again - only you need to do is Allow or Deny.

2 comments:

chanux said...

The link you have provided to twitter login page is not https. Does it still make it secure?. (Anyway I thought it would automatically redirect to https one, but it didn't)

Prabath said...

No it won't - but when you provide your credentials and click on sign in - the form is posted to https://twitter.com/sessions - so, credentials passed on https.

Thanks.
-Prabath