Friday, September 3, 2010

Ambition Over Intelligence - Twitter, OAuth, and Wrong

If you're using Twitter, and most of you are, you've probably had your client break in the last day or few?  If you haven't it's because your client is either written by the folks over at Twitter themselves, or you've updated your client very very recently.

If you do a web search for "hacked twitter account" you'll get thousands upon thousands of entries.  Most of them are from celebrities crying that their Twitter account was hacked when in fact someone guessed or deduced their lame password and used it to post even more insane things (or less insane?) than the celebrity would post themselves.  At any rate ... all this craziness about hacked accounts has no doubt prompted Twitter to do something to increase security.

Unfortunately, as with many things so far in its short life, Twitter got it wrong.

The Ars Technica piece here [Titled: "Compromising Twitter's OAuth Security System"] probably says it much better than I can - so I urge you to go read this brilliant piece of technical writing.  Ryan does a masterful job breaking down the issues with OAuth, the problems Twitter has with their specific implementation, and some of the reason why hacking Twitter "consumer keys" will be a hobby for bored school-kids for the foreseeable future.  I will, however, add my own commentary as I always do.

By the way, Ryan also wrote an OAuth primer (dealing with OAuth and OAuth WRAP) which you should probably read if you haven't already... it explains some of the OAuth details and behind-the-curtains issues that make it a flawed setup from the word go.  Seriously, mega-kudos Ryan, great chunk of writing there.

So as the title of the post says, ambition got the better of Twitter it seems.  While I'm ordinarily on the other end of this conversation urging technology to leave laggards behind, a technology socially rooted in its 3rd party applications like Twitter will suffer for their ambition, unfortunately.  Choosing to pull the trigger and disable basic authentication was a big move - but using their own version of OAuth (filling in some of OAuth's inherent holes) is a big mistake.

You see, we're back to a function vs. security conversation.  What do you really care about?  Do you want your social medium to be explosively adopted by virtually any 3rd party... or do you want to provide the illusion of better security?  A tough call right?

Twitter's biggest misstep in my humble opinion is threatening to invalidate secret consumer keys once they're discovered and published.  I think this is a major flaw in OAuth to begin with - but completely invalidating keys that are embedded in software particularly when it could cause a very interesting effect such as developers knocking each others' products off of Twitter's good graces.  Can you imagine the carnage?

I think it'll be interesting to see what transpires.  I'm just angry I guess that my 2 favorite Twitter clients haven't worked (and still don't work today...although I guess I need to blame the app developers more than Twitter, right?) and it's making me cranky.

Oh well ...maybe I'll actually be productive and be forcibly social, in real life.

No comments: