OAuth: A security threat or a convenience?

This article will cover:

  • What is OAuth? How did it start?
  • Why you may want to use it?
  • Is it safe to use or are you exposing your account to the risk of attack?
  • OAuth Service Providers

What is OAuth?

Before we dive into explaining what OAuth is, it is important to explain the problem that was the inspiration for its creation. With the risk of more and more websites, forums, blog, etc it became a hassle to register an account (username and password) on each of these platform just to be able to interact, for example, by submitting comments on a blog or forum as well as keep track and manage these hundreds of accounts.

What if you created a new account on a forum then didn’t use it again for a month or year thus forgetting your credentials and forced to reset your password?

The solution was to create a secure system by which different websites can unite their access to a specific user through a single interface, that where OAuth comes in.

The plan was to utilize a user’s twitter, Facebook, or OpenID as well as other accounts to authenticate themselves but at the same time keep the credentials of these services private. In other words, you had to prove that you are the owner of a specific twitter account (which the  third-party website will access your information) without given that website your username or password. The method of authorizing is through tokens, where a single token provides access to a specific site (website, forum, or blog) for specific resources (e.g. your name and/or your profile image) and for a defined duration (e.g., an hours, 2 hours, a day, until revoked).

This provide a higher level of security because:

  1. The third-party website does not have your credentials (thus can’t access your account and do a task that you didn’t give it permission to)
  2. The third-party website has only a pinhole view of all you data (which you can configure)
  3. The third-party website has a defined duration of validity
  4. If at any moment you decide to pull the plug, you can invalidate the token and kill the website’s access to your information

Why you may want to use it?

OAuth provides a practical way to use information from another service like twitter, Facebook, Foursquare, etc and yet not store the credentials of the user. As explained in the previous section the user controls how much data is being accessed, duration of validity, and can revoke the token at anytime. You can know that you are using OAuth when you see on of the screen below:

 

Is it safe to use or are you exposing your account to the risk of attack?

This is a tough question, the short answer is both yes and no. While the process as explained up to this point proves that OAuth is in itself safe and actually provides a very high level of access granularity and security, there is a weakness both for the desktop and mobile applications. For desktop, when you first create a token the services that you are authenticating with (twitter for example) will ask you for your username and password which is not a problem since you are entering your credentials directly to twitter, the problem is that you are trusting your web browser (internet explorer, Firefox, chrome, or safari) to not sniff these before clicking submit. Imagine if a hacker was able to embed a virus inside your browser to pick up all the key strokes you enter then in essence you just gave that hacker your username or password. This problem is not specific to OAuth and relates more to the security of your desktop as a whole but it is still a risk. For mobile application, to be able to use this token over and over again it has to be stored somewhere inside your phone’s hard disk which means if a hacker got access to your phone, he can extract this token and use it for himself.

Another security risk relates to the managing tokens and being aware which third-party application have access to your data at a given moment in time. Say you had authorized a website to access your Facebook account to extract your pictures but then you never used the service again. The problem is that the website still has a token access to your photos till you manually revoke it, as a result, it is crucial constantly check your outstanding token and revoke any that you don’t need anymore. Don’t worry if you accidentally revoked a token you shouldn’t have, you can always create a new token for that same website.

You can find more information on connecting and revoking third-party applications for twitter here and for Facebook here

OAuth Service Providers

  • Facebook
  • Foursquare
  • Google
  • Microsoft (Hotmail, Messenger, XBox)
  • LinkedIn
  • MySpace
  • Netflix
  • Twitter
  • Vimeo

If you found this article useful, don’t forget to share it by clicking one of the buttons below. You can also share your thoughts in the comments section below

You can follow me on Twitter, add me to your circle on Google+ or like my Facebook page to keep yourself updated on all the latest of Hardware and Software reviews.

Found this post useful?

Subscribe to our RSS feed, follow us on Twitter or help us grow by sharing our content using the buttons below

This entry was posted in Security and tagged , , , , , , , , . Bookmark the permalink.

Leave a Reply