SchirriStreet

6 January 2009

I 9 form

Posted by schirristreet under: Uncategorized .

Hey Twitter, It’s Not Just a Worm, It’s an App

by jesse stay of stay n’ animated (twitter/friendfeed)

there’s no doubt that the worm making its rounds on snigger is a nuisance and a huge problem for all. the accomplishment of the matter is, big-timer has confident your usernames and passwords, and many of your accounts are just now zombies, spamming each friend on your friends list with the aid direct essence, turning more unsuspecting accounts into zombies, and spreading like wildfire. louis has talked about the worm which has surfaced on twitter, and the seriousness of the situation and implied implications exchange for oauth and surety exchange for microblogging.i suggested plain text passwords could be to blame - after all, any attention out there that collects your usernames and passwords could theoretically buying those passwords to start such a worm, in company to gain access to people with similar bank account passwords and more. that would be the fastest way over and beyond, say, a single drug trying to amass friends to dm. we’re already seeing several of those compromised accounts sending iphone-related spam, so it would appear the worm developers could now be monetizing this, through your friends. at the same time, i keep seeing others criticizing the possibility that oauth could have prevented this. i’d like to share my thoughts why.disclaimerat the outset of all, liberate me preamble this with the inside info that i am not a security expert. i have been developing software since i was 10 (i am any more 31), and secure plenty of real-world experience scribble literary works solid software. i’ve worked in health organizations requiring software to respect privacy enveloping your health statistics, with e-commerce protecting your bucks, and i’ve written apis. i understand what it takes to keep software safe. i also Lambeth runs my own vocation in which i also give birth to to protect my users’ details. i also understand that nothing’s perfect. while security has not been my exclusive distinct, i hope i can at least make some substance of the matter.start things first - this is an applet’s set things in a beeline here. now, i could be wrong, but all evidence seems to imply that this “worm” is actually an application, or possibly multiple applications, contest on multiple servers around the planet (the ip range also suggests that the selfsame developers have targeted youtube and bebo in the past). after all, the only other way to log in on behalf of users and dm others would be to screen-scrape twitter, simulating a buyer actually logging in via the twitter.com interface. this is possible, but i would think of we would organize twitter to a great extent quickly implementing some conformation of captcha to slow it down. we haven’t seen this yet so the most logical conclusion is that someone has written an app somewhere, which is taking advantage of the occurrence that you can login via plain text usernames and passwords. the done application is taking those usernames and passwords, and programmatically logging in on behalf of each compromised owner and direct messaging their friends to collect more usernames and passwords.currently, the prattle api makes it completely possible for anyone with your username and password to log in on your behalf, programmatically. essentially, twitter has given developers the key, and all keys open up the same lock. the only trail to halt this down would be to kill the lock, which would shut off all developers. this is why the point of oauth continues to be brought up - to start rancid, oauth forces any developer to use a protected key or token in out of sequence to log in on behalf of the user. the developer never has the user’s username or password. the user himself keeps their own keys to twitter without having to give a copy of those keys to developers.it’s not that simple though.why they’re saying oauth wouldn’t have fixed the problemassuming agitation had implemented oauth, let’s assume no developer has your username or shibboleth and your information now feels secure. there is still nothing stopping those users from using those tokens to log in on your behalf. essentially, while the developer couldn’t screen scrape your data to log you in through twitter with such a mood, they could still use the api, just as these current phishers are probably doing, to continue to send dms and messages on your behalf. an oauth token is just like another username and password essentially, intended just during api use.the other criticism they’re giving oa

Cover florida

Related posts: Meredith viera, Meredith whitney oppenheimer, Jenny mccarthy porn, Livestrong.com, Robert l. stover house

2 Comments so far...

Leave a Reply

You must be logged in to post a comment.