Currently browsing Posts Tagged “oauth”

Page 1 of 1

Authentication Crack Could Affect Millions

Posted by Scott Jarkoff in Shorts

, , , , ,

Security researches have discovered a fatal flaw in a widely used authentication routine and plan to discuss their findings at the Black Hat conference later this month in Las Vegas. The researches have not yet publicly disclosed the affected application, although it initially appears as if OpenID and oAuth are vulnerable to this newfound attack.

They found that some versions of these login systems are vulnerable to what’s known as a timing attack. Cryptographers have known about timing attacks for 25 years, but they are generally thought to be very hard to pull off over a network. The researchers aim to show that’s not the case.

The attack is thought to be so difficult because it requires very precise measurements. It cracks authentication tokens by measuring the time it takes for a computer to verify a digital signature. On some systems, the server will check a cryptographic signature on a token sent by the user to prove that he has logged into the system. It will kick back an error message as soon as it spots a bad character. This means a computer returns an error for a completely bad token a tiny bit faster than one where the first character is correct.

Since OpenID and oAuth are affected, sites such as Twitter and digg are vulnerable as they make use of these routines to provide additional functionality not seen in average web sites. Ultimately, what this attack facilitates is allowing an attacker to masquerade as a legitimately authenticated user without having to login to the site. While timing attacks such as this are difficult to pull off, they are not inconceivable.

What does this mean for the average user? Probably nothing much at this point since the keys to this particular kingdom lay in the hands of the web site operators. It will be up to the service providers making use of the affected libraries to either switch to an unaffected library or modify the existing one.

If you are a developer, and are using OpenID and/or oAuth then you should definitely be concerned. Pay strict attention to the paper these researchers plan to present at Black Hat to see if the libraries you are using are affected and in need of modification.

On Twply, Giving Out Your Password and Other Security Issues

Posted by Scott Jarkoff in Articles

, ,

There has been a small but vocal brouhaha brought to light by chatty Robert Scoble over Twply, a new Twitter-to-email service which recently launched. The problem started out as the service seemingly spamming Twitter but the conversation has quickly changed gears in to a full-fledged Twitter security incident.

As part of a means of promoting the service, framed in the context of “supporting” Twply, when you first sign-up for the service it sends the following tweet from your Twitter account:

Just started using http://twply.com/ to get my @replies via email. Neat stuff!

Twply clearly states on their front page, directly beneath the Twitter username and password fields, “Support Twply on your first login?” followed by a couple of radio buttons: Yep, go ahead! (default) and No thanks!.

Continue

TechMiso © Copyright 2012. All Rights Reserved.

Designed & developed by We Are Pixel8.

Back to Top