« Windows 7 “N” and “KN” Versions
Open Sourcing Music »

Twitter Desktop Application Devs: Please, Please, PLEASE Use OAuth!

10Mar10

I’m tired of all the Twitter API applications that force users to enter their Twitter usernames and passwords to log in. Why? Well, because it’s just so insecure!

Many people realized this for web applications some time ago, so now, most Twitter web services use OAuth to connect with the Twitter API. But for some reason, this hasn’t been done with desktop apps: most of them haven’t embraced OAuth.

Of course, there may be less of a security risk of providing your username and password with desktop applications, as one might think that there’s less of an opportunity for the provider of the Twitter app to capture and keep the username and password.

Yet, there’s still a huge risk of packet sniffing!!!

As an example, I opened Seesmic for Windows and started Fiddler2 to capture my traffic. Well, guess what!?!?!

GET https://api.twitter.com/1/account/verify_credentials.json HTTP/1.1
X-Twitter-Client: Seesmic
X-Twitter-URL: http://www.seesmic.com
Authorization: Basic [REDACTED]
User-Agent: Seesmic
Host: api.twitter.com
Connection: Keep-Alive
That’s the request itself. Guess what happens if you decode that authorization token?
Authorization Header is present: Basic [REDACTED]
Decoded Username:Password= maximz2005:[REDACTED]

Oh look, it’s my username and password! Well, I hid the password here so that no one takes it… :)

Yet, there’s nothing to laugh or smile about here. Traffic from desktop Twitter apps that request a username and password is out in the open.

This all shows one major point: we must embrace OAuth. The OAuth system uses application tokens: in this case, Twitter creates a token for the application, the application connects using the token, and, if the user, at any point, wants to remove the application from his account, the user can just revoke the token, effectively revoking access for the application.

Twitter realized that this system would greatly increase security. Now, they’re phasing out the HTTP Basic Authentication (username & password) connection to their API, with a cut-off date of June 2010.

If you’re a desktop Twitter app developer: do you want your users to be out in the open? Do you want them to feel and be insecure? It’s not a great idea, though many apps are still doing this. Please, use OAuth, for your own benefit, and for that of your users, too!


Filed under: computer science, Feature, Programming, Technology, Twitter, Web   |  Comments
Tags: , , , , , , , , , ,

3 Responses to “Twitter Desktop Application Devs: Please, Please, PLEASE Use OAuth!”

Feed for this Entry Trackback Address

  1. 1 Twitter Desktop Application Devs: Please, Please, PLEASE Use OAuth …
  2. 2 How To Increase Your Business With Pay Per Click Software | Internet Marketing|Lead Generation|Self Branding
  3. 3 Online Conversion is Much Better than Other
« Windows 7 “N” and “KN” Versions
Open Sourcing Music »

Leave a Reply

Please log in using one of these methods to post your comment:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Cancel

Connecting to %s

Follow

Get every new post delivered to your Inbox.