Comments on: OAuth No Guarantee Against Nefarious Behavior http://www.brandonsavage.net/oauth-no-guarantee-against-nefarious-behavior/ The personal blog of Brandon Savage. Contains entries of a personal and professional nature focusing on PHP, Apple, LAMP, MySQL and Washington, DC. Thu, 29 Jul 2010 19:10:45 +0000 hourly 1 http://wordpress.org/?v=3.0.1 By: Jonathan Joycehttp://www.brandonsavage.net/oauth-no-guarantee-against-nefarious-behavior/#comment-1539 Jonathan Joyce Sat, 10 Oct 2009 00:51:30 +0000 http://www.brandonsavage.net/?p=860#comment-1539 Hi Brandon, thanks for the blog post. Despite it being quite negative about our service we do genuinely appreciate the feedback.As you say we do actually disclose the fact that as part of the process of supporting a cause you will send out a support tweet for the cause and follow the twibbon account. We would have to agree that specifically in relation to the notification settings it is not at all clear for users that they will have SMS updates enabled. Sincere apologies for this oversight. I assure you this was not a marketing ploy but an attempt to keep users informed of relevant activity on our service. You can see that we have used the Twibbon account very conservatively because we are aware of the balance between supporting users and spamming them.Looking at our stats we can see that for an astonishing 99.999% of our users this setting will have no affect because they do not have notifications enabled.As a result of your comments and in consideration of the limited number of users benefiting from this option we have decided to remove this feature.Thanks for helping us refine the service. With Twibbon we adopted the ‘Ship It!’ approach to product development which means we depend on our users to help us in this way. We have always tried to ensure that we have enough resources to properly monitor and respond to feedback as it arises but we accept that this has not been a great experience for you. Hi Brandon, thanks for the blog post. Despite it being quite negative about our service we do genuinely appreciate the feedback.

As you say we do actually disclose the fact that as part of the process of supporting a cause you will send out a support tweet for the cause and follow the twibbon account. We would have to agree that specifically in relation to the notification settings it is not at all clear for users that they will have SMS updates enabled. Sincere apologies for this oversight. I assure you this was not a marketing ploy but an attempt to keep users informed of relevant activity on our service. You can see that we have used the Twibbon account very conservatively because we are aware of the balance between supporting users and spamming them.

Looking at our stats we can see that for an astonishing 99.999% of our users this setting will have no affect because they do not have notifications enabled.

As a result of your comments and in consideration of the limited number of users benefiting from this option we have decided to remove this feature.

Thanks for helping us refine the service. With Twibbon we adopted the ‘Ship It!’ approach to product development which means we depend on our users to help us in this way. We have always tried to ensure that we have enough resources to properly monitor and respond to feedback as it arises but we accept that this has not been a great experience for you.

]]> By: Pádraic Bradyhttp://www.brandonsavage.net/oauth-no-guarantee-against-nefarious-behavior/#comment-1434 Pádraic Brady Fri, 02 Oct 2009 10:51:31 +0000 http://www.brandonsavage.net/?p=860#comment-1434 You said "I don’t recall reading anything about it enforcing restrictions on what the two parties can or cannot do." Using scoping, OAuth may be used to enforce a restriction since the Consumer can cross match the authorisation token against the current scope and accept or decline the action presented. This is not built into the spec of course, it must be implemented by the provider. You said “I don’t recall reading anything about it enforcing restrictions on what the two parties can or cannot do.” Using scoping, OAuth may be used to enforce a restriction since the Consumer can cross match the authorisation token against the current scope and accept or decline the action presented. This is not built into the spec of course, it must be implemented by the provider.

]]> By: Herman Radtkehttp://www.brandonsavage.net/oauth-no-guarantee-against-nefarious-behavior/#comment-1424 Herman Radtke Thu, 01 Oct 2009 16:40:06 +0000 http://www.brandonsavage.net/?p=860#comment-1424 @padraicb From the link you provided: "By itself, OAuth does not provide any method for scoping the access rights granted to a Consumer." I stand by my statement. @padraicb From the link you provided: “By itself, OAuth does not provide any method for scoping the access rights granted to a Consumer.” I stand by my statement.

]]> By: Gerardhttp://www.brandonsavage.net/oauth-no-guarantee-against-nefarious-behavior/#comment-1423 Gerard Thu, 01 Oct 2009 15:11:51 +0000 http://www.brandonsavage.net/?p=860#comment-1423 I've only recently been looking into OAuth and on the face of it I think it will be great for the computer literate but disasterous for lowest common denomenator and that could be it's downfall.It appears too whimsical to me, that said it is without a doubt far better than giving somebody your concrete credentials.I look forward to test driving it with Twitter. I’ve only recently been looking into OAuth and on the face of it I think it will be great for the computer literate but disasterous for lowest common denomenator and that could be it’s downfall.

It appears too whimsical to me, that said it is without a doubt far better than giving somebody your concrete credentials.

I look forward to test driving it with Twitter.

]]> By: Pádraic Bradyhttp://www.brandonsavage.net/oauth-no-guarantee-against-nefarious-behavior/#comment-1421 Pádraic Brady Thu, 01 Oct 2009 09:14:54 +0000 http://www.brandonsavage.net/?p=860#comment-1421 @Herman Er, not so. OAuth has full support for scoping the granted authorisation - http://oauth.net/core/1.0a#anchor33. All that is required is a little work from the service provider to apply it. Unfortunately, most services simply apply a global authorisation or differentiate between two simple roles: read access, or read and write access. So OAuth can be used to limit access on a finer grained basis. Brandon's assertion remains true - OAuth is not a guarantee and user beware. @Herman Er, not so. OAuth has full support for scoping the granted authorisation – http://oauth.net/core/1.0a#anchor33. All that is required is a little work from the service provider to apply it. Unfortunately, most services simply apply a global authorisation or differentiate between two simple roles: read access, or read and write access. So OAuth can be used to limit access on a finer grained basis. Brandon’s assertion remains true – OAuth is not a guarantee and user beware.

]]> By: Joshua Mayhttp://www.brandonsavage.net/oauth-no-guarantee-against-nefarious-behavior/#comment-1420 Joshua May Thu, 01 Oct 2009 04:23:20 +0000 http://www.brandonsavage.net/?p=860#comment-1420 It sounds like Twibbon does that as a one-off transaction when you perform the OAuth.But for longer term recurring things (i.e. if an app keeps posting to your timeline), you can revoke its access at http://twitter.com/account/connections It sounds like Twibbon does that as a one-off transaction when you perform the OAuth.

But for longer term recurring things (i.e. if an app keeps posting to your timeline), you can revoke its access at http://twitter.com/account/connections

]]> By: Herman Radtkehttp://www.brandonsavage.net/oauth-no-guarantee-against-nefarious-behavior/#comment-1419 Herman Radtke Thu, 01 Oct 2009 01:44:36 +0000 http://www.brandonsavage.net/?p=860#comment-1419 OAuth is doing exactly what it claims to do: provide an authentication mechanism for two different parties to communicate. I don't recall reading anything about it enforcing restrictions on what the two parties can or cannot do.What Twibbon does after you allow them access is outside the scope of any authentication mechanism. OAuth is doing exactly what it claims to do: provide an authentication mechanism for two different parties to communicate. I don’t recall reading anything about it enforcing restrictions on what the two parties can or cannot do.

What Twibbon does after you allow them access is outside the scope of any authentication mechanism.

]]> By: Pádraic Bradyhttp://www.brandonsavage.net/oauth-no-guarantee-against-nefarious-behavior/#comment-1416 Pádraic Brady Wed, 30 Sep 2009 22:54:40 +0000 http://www.brandonsavage.net/?p=860#comment-1416 There's not really a whole lot Twitter can do to prevent misuse. I've always simply supported the approach of having the OAuth confirmation page (when you give your consent) spell out as clearly as possible the implications of your decisions. But, so long as write access is applied to the entire API of a service, without the possibility of more fine grained authorisation, this sort of misuse will always be possible. There’s not really a whole lot Twitter can do to prevent misuse. I’ve always simply supported the approach of having the OAuth confirmation page (when you give your consent) spell out as clearly as possible the implications of your decisions. But, so long as write access is applied to the entire API of a service, without the possibility of more fine grained authorisation, this sort of misuse will always be possible.

]]>