On Twitter’s OAuth Fix

Posted on April 25, 2009 by

While the OAuth team is working on addressing the OAuth session fixation vulnerability at the spec level, Twitter made following changes to reduce the exposure window:

  • Shorter Request Token timeout – This is good practice in general. Developers tend to be too generous and, all too often, forget to enforce or verify enforcement.
  • Ignore oauth_callback, in favor of URL set at regration time – this prevents hackers from intercepting callback.

Double-callback is still possible though which means Twitter OAuth Consumers will have to detect extraneous callbacks and invalidate access to everyone involved because they have no way of telling who is who.

Remaining exposure to the vulnerability is when hacker’s simulated callback arrives before the user. We are talking temporal exposure of a couple of seconds at most which, given current Twitter use-cases, is not that big a deal. I wouldn’t do banking over Twitter though. ;-)

Posted in Technical | Tagged , ,

On OAuth Vulnerability

Posted on April 23, 2009 by

Twitter’s OAuth problem turned out to be a general problem affecting other OAuth service providers and well as consumers using ’3-legged’ OAuth use-case. For details, you should read not only the relevant advisory but Eran Hammer-Lahav’s post Explaining the OAuth Session Fixation Attack.

First hint of the vulnerability surfaced last November as a CSRF-attack at Clickset Social Blog which was initially diagnosed as an implementation-level issue. Well, it turned out to be a design flaw requiring some changes to the protocol.

There are actually two flaws.

The first flaw is that parameters of HTTP redirects used in OAuth can be tempered with or replayed.

This flaw allows hackers to capture, replay, and mediate conversations between OAuth Consumer and Service Provider flowing over the surface of User’s browser between the User, Consumer, Service Provider.

I think the easiest general remedy for this flaw is including a hash of the HTTP redirect parameters and some shared secret like consumer secret. A more general solution like evolving tokens could be done as well but inappropriate as a quick remedy.

This flaw should not affect OAuth service providers that manage and monitor callback URLs rigorously.

The second and more serious flaw is that the User talking to the Consumer may *not* be the same User talking to the Service Provider.

This means that a hacker can start a session with TwitsGalore.com then phish someone to authorize at Twitter to gain access to TwitsGalore.com as that someone without stealing password or session-jacking.

Solving the first flaw simplifies the solution to the second flaw by reducing the possibility of the hacker intercepting callback from Service Provider to Consumer which is not supposed to have any sensitive information but some implementations might include. Wire sniffing is a concern if HTTPS is not used but the relevant concerns for the flaw are integrity and identity, not secrecy which is an application factor.

Removing the possibility of callback URL tempering leaves double callback, meaning that the hacker start things off, tricks someone into authorizing without intercepting the callback, then simulate a callback to Consumer. Note that the Consumer would have started a HTTP session with the hacker, session associated with the RequestToken in the callback. Even if HTTP session is not created until the callback is received, there is no way for the Consumer to tell who is who.

I think Service Provider have to send back a verifiable token, like a hash of the RequestToken and consumer secret so the hacker can’t simulate the callback.

Regardless of which solutions OAuth guys decide on, one thing is clear. It will take time, many weeks at least, if not months. That’s going to put quite a damper on developers in the Consumer side of the OAuth as well as the Service Provider side.

Posted in Technical | Tagged , | 3 Comments

Value of Journalism

Posted on March 11, 2009 by

Will newspapers survive? I think the physical form will survive for another 10 years at least at much lower valuation then eventually break into nich market fragments. The profession of journalism will, however, not only continue on but become more respected than before.

This is why I think so. When we are short of something we consume, like water in the desert, we put value in availability. As we approach ubiquitous availability of the same, we shift value to quality.

In a sea filled with unverified and biased news and information, we will rediscover the value of journalism. We will see memes as what they really are, mental viruses, and know the danger of careless consumption. As we have become more health conscious, we will also become more mental health conscious.

We’ll see products of journalism like bottled water, avoid reading/eating things off the ground, and see eaters of biased or mutated news as inbred rednecks. Those who can afford to pay, that is.

As usual, I am exaggerating. Not quite hyperbole but enough force to kickstart pointless thinking.

Posted in General | Tagged , | 1 Comment

Leg Fetish

Posted on March 1, 2009 by

I’ve been too busy tinkering so, beyond twittering, I haven’t had the mindshare to blog. Sorry.

I think the stock market is in for another big leg down soon, not like the slide we’ve had lately but a drop of 500 pts or more in a day. One card Obama adminstration can play to stem or prevent the damage is the restoration of the up-tick rule.

I could be wrong, of course, so use your own judgement.

update on March 2nd at 10:41AM: Dow is at 6800 now, 200+ pts down but the volume is not there, just average so far, so this is not the massive volumn crash I was expecting. It’s as if hedge funds have changed their trading strategy from a disaster movie to suspense-building horror movie. Eerie. The only real support is still 300 pts away, btw, at 6500. There will be continued drama, of course. I’m just not sure what kind.

update on close March 2nd: So the market went down orderly in a straight line more or less with Dow closing down 300, S&P barely hanging on at 700 which makes it look bad. NASDAQ didn’t do too badly but volume was nearly 4x where Dow volume was about 1.5x. Spitting into the wind, downward pressure is still overwelming. I am done looking at the market for today. It’s time to look at some business plans and code.

a reminder to follow me on twitter: my tweets are mostly mindfart but look what I twitted last Thursday. ;-)

Posted in General | Tagged | 4 Comments

Transcultural Funk

Posted on February 13, 2009 by

Here is Natalie, a cute non-Korean girl (as far as I can tell ;-) ) based in LA, singing a popular song by K-POP group Wonder Girls:

and idol-mob girl group SNSD’s song:

Being a cultural mutt, I enjoy this sort of cultural mash thingy. She looks and sings great. It would be cool to see her make it big time in South Korea, hopefully short of turning things into a circus as usual.

Posted in General, Korean | Tagged , | 2 Comments

OpenID Middlemans

Posted on February 10, 2009 by

Apparently the invite-only OpenID meetup at Facebook took place tonight. The fact that it was held at Facebook points to a shift taking place in the OpenID world. What’s coming is obvious: somehow retrofit Facebook Connect into OpenID architecture. Repeat after me. Yes, we can.

Facebook Connect can become a OpenID middleman, serving attribute-enriched OpenID to consumer sites that selected Facebook as its OpenID supplier. OpenID middlemans solve two key OpenID usability issues as well as opening up the potential to solve some privacy issues.

The first usability issue the middleman solves is the need to type in OpenID URL by replacing the URL input box with a button saying Signin with OpenID or a branded version like Facebook Connect button.

The second usability issue is users forgetting which OpenID they’ve used at a OpenID consumer site. Site can save that in a cookie but that opens up privacy and taste issues, particularly since consumer sites will be less trusted than OpenID supplier services like Facebook and Google.

The middleman can also support anonymous personas for users to minimize privacy issues but, to do so, they’ll have to provide bridging service between the sites and the real identity to meet the needs of consumer sites.

Who will be the players? Facebook and Google, of course. Throw in MySpace, Yahoo, Microsoft, and AOL as well. I reckon security, payment, and infrastructure companies to come in too, late of course. Now, they are all OpenID providers but, to act as middlemans, they’ll have to also act like OpenID consumers to either pass on third-party OpenID identity or return a proxy identity. IMHO, it’s a very small price to pay IMHO since only oddball users will choose to do so.

Yes, it’s going to be a party night and, when the dawn comes, small OpenID providers will just fade away like old soldiers, taking the name with it too and leaving behind only big name portals and social networks wrapped in brand names.

Posted in Technical | Tagged , | 4 Comments

Micropayments and News

Posted on February 10, 2009 by

Is micropayment what the ailing news industry needs? Will it save New York Times? Like Clay Shirky, I have my doubts about micropayments, particularly from usability perspective. Micropayment UI can get as bad as Vista UAC, endless parade of buy this and buy that.

What I think the news industry should do is follow the example of cable TV industry. Bundle contents by type into channels then charge per channel or channel combo deals like 10 free news channel + choice of 10 premium news channels + 100 article of choice from other channels for $5 per month. For $10, 30 premium plus 500 articles of choice. To add an extra channel for a month, an extra $1.

Regardless of details, the core idea is to transition to finer-grained subscription model, selling sections instead of the whole newspaper, bothering the user only once per month and when the fuel tank (a-la-carte article budget) gets empty to ask whether refill for a fee or add a channel.

Posted in General | Tagged , ,