In association with heise online

23 April 2009, 12:04

Security hole compromises OAuth providers

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

A flaw in the open OAuth online authentication protocol has prompted major OAuth providers like Twitter and Yahoo to suspend their support of this protocol and stop offering this service for the time being. The security hole allows attackers to trick their way into obtaining user data. The OAuth protocol will need to be updated to fix the vulnerability.

According to an entry on, the OAuth community has been aware of the flaw for a week, but no exploits have been found so far. A detailed description of a potential attack scenario and a recommendation how to prevent this attack can be found in the advisories.

Alex Payne, Twitter's API Lead, has now also confirmed the vulnerability. In response to criticism from Twitter's user community, he explains that the major OAuth providers have an agreement not to disclose the nature of a vulnerability before they have all agreed to do so and irrespective of any rumours about a vulnerability. With regard to Twitter's OAuth API, Payne adds that it is in beta state, which in Twitter's case means that is is in testing.

OAuth is an open online authentication standard. It is based on a protocol designed to make accessing private user resources held by the service provider more secure. Under OAuth, the user's service provider accepts requests for data access and responds by sending a request for approval to the user. Once the user has approved access to the selected data, the provider sends a token to the requesting party. The requesting service provider then uses this token to access the authorised data.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit