Do OAuth tokens sustain hacking attacks?
‘Tis the season to be hacked, I guess. Twitter joined a bunch of other companies in revealing that it was the target of a sophisticated attack that may have exposed the information for about 250,000 users. While the data that was allegedly exposed, including encrypted/salted versions of passwords, was not as bad as in some other attacks recently, Twitter did take some proactive measures in resetting passwords (and letting the users know that they need to set a new one) and revoking session tokens. And in what is quickly becoming a sad industry pattern for websites that get hacked, it is now considering adding two factor authentication.
But what is far more interesting to consider are the ramifications this hack and Twitters response measures have had (or not had, depending on who you talk to) on the ecosystem that integrates with Twitter via it’s OAuth implementation. This article brought up the fact that 3rd party apps authorized to interact with Twitter are still able to tweet despite the passwords being reset. In other words, the resetting of the password had no impact on whether they still had access to the account. Why is this important? Because if you consider one of the possible motives behind the hack, the attacker could have used the time that they had control of the account to add an additional application (a Twitter client like Hootsuite, for example) to the list of authorized applications by going through the flow and issuing an OAuth token.