Monthly Archives: April 2009

Why wasn’t OAuth Vulnerability found earlier?

According to OAuth about page, it was Blaine Cook who initiated the birth of the the standard while working at Twitter in Nov. 2006. Blaine mobilized the initiative by getting Chris Messina involved which attracted others at CitizenSpace to join … Continue reading

Posted in Technical | Tagged , | 3 Comments

On Twitter’s OAuth Fix

While the OAuth team is working on addressing the OAuth session fixation vulnerability at the spec level, Twitter made following changes to reduce the exposure window: Shorter Request Token timeout – This is good practice in general. Developers tend to … Continue reading

Posted in Technical | Tagged , ,

On OAuth Vulnerability

Twitter’s OAuth problem turned out to be a general problem affecting other OAuth service providers and well as consumers using ‘3-legged’ OAuth use-case. For details, you should read not only the relevant advisory but Eran Hammer-Lahav’s post Explaining the OAuth … Continue reading

Posted in Technical | Tagged , | 3 Comments