The OAuth keys and secrets that official Twitter applications use to access users’ Twitter accounts have been leaked in a post to Github this morning.
The consumer keys and secrets, which function similarly to a username and password, were posted for Twitter for iPhone, Android, iPad, Mac, Windows Phone and TweetDeck. Unapproved third-party applications can now use these secrets to impersonate legitimate third-party apps and circumvent any access control measures Twitter has in place for unofficial apps.
“In OAuth, the consumer keys identify your application (eg. if you had a third-party Twitter client like HootSuite). Therefore, the impact is that someone can take your app’s consumer key and use the OAuth API pretending to be your application (eg. I can make API calls pretending to be the HootSuite application),” said Jon Oberheide, CTO and cofounder of Duo Security, a hosted two-factor authentication service for mobile devices. Oberheide downplayed the security implications of the lead, adding that there could be indirect risks that are specific to a particular application or service.
“A service that was not aware of the problems with consumer [keys] could erroneously put too much trust into the application’s identity,” he said.
In August 2010, Twitter moved to OAuth from Basic Authentication for authentication of official third-party apps such as TweetDeck. The third-party apps’ use of OAuth allows users to access the applications without the apps storing a password. OAuth consumer keys and secrets are embedded in every native or mobile application that relies on the specification.
“With OAuth, you still individually approve each application before using it, and you can revoke access at any time,” wrote Twitter communications person Carolyn Penner upon the announcement in 2010. With Basic Auth, users had to provide a user name and password for the application to gain access to the user’s Twitter account. The third-party app would store and send the information each time the application was used. The move to OAuth changed this dynamic.
Twitter will likely have to reset its keys, but this won’t prevent a repeat scenario where the new keys would be leaked as well. Given the way OAuth is designed, experts say the keys weren’t all that safe to begin with.
“OAuth consumer keys and consumer secrets are embedded in every application that uses OAuth, whether it’s a native application or mobile app,” Oberheide said. “And since the application is delivered to the user, the consumer key and secret can be extracted fairly easily by anyone with basic reverse
engineering skills.
“The developer can regenerate the keys and push out a new version but they can be extracted again. The developer can try to obfuscate the keys in different ways in the app to make them harder to
recover, but that’s not a game they’ll win at,” Oberheide said.