Thursday, May 20, 2010

Using 'Sign in with Twitter' ??? Read this then - You may be NOT safe

There are many application enabled for 'Sign in with Twiiter'., are few to name.

Once you click on 'Sign in with Twiiter' - you are redirected to page following the OAuth protocol, where you need to authorize access to the particular relying party application.

By this time, if you haven't logged in to Twitter directly, then you are asked to enter Twitter credentials as well.

These credentials are passed over the wire in clear text.

Following, I captured using Wireshark - there you can see the username and twitter password in clear text. [ I have replaced my original password with XXXXX]


But, when you directly login to Twitter through - there it uses HTTPS - so you are safe.

So - if you are using 'Sign in with Twitter' - anywhere, I would rather recommend you login to Twitter directly via and then click on 'Sign in with Twitter' link on the corresponding web site. Then you are not asked to authenticate again - only you need to do is Allow or Deny.


chanux said...

The link you have provided to twitter login page is not https. Does it still make it secure?. (Anyway I thought it would automatically redirect to https one, but it didn't)

Prabath said...

No it won't - but when you provide your credentials and click on sign in - the form is posted to - so, credentials passed on https.


chenmeinv0 said...

ray ban wayfarer
oakley vault
cheap jordan shoes
converse sneakers
adidas nmd
burberry handbags outlet
ralph lauren polo
oakley vault
the north face outlet
supra footwear