Tuesday, January 6, 2009

Twitter phishing issues

I agree with this article in the main, but there are some things worth pointing out… baring mind the majority and most concerning of these phishing issues came from people giving their credentials out and the 3rd parties assuming their identities and the associated trust with that.

1. oAuth could have allowed me to provide access for 3rd party systems in a case by case basis - not providing the credentials that could be stored and re-used.

2. oAuth would allow me to disable access immediately for a 3rd party site.

3. oAuth, as used in GMail, could be used to restrict the levels of access you permit of 3rd party applications. Therefore i may allow a site to read my contacts (which most do) but not sent replies or DM’s on my behalf (in fact this is what GMail can allow).

... I totally get that anyone can @ you on twitter - but i would be unlikely to click a random link. It it came from a friend - especially DM I am MUCH more likely to click it.

Only question i have is why did the phishing sites not use tinyURL or something to mask the link?

No comments: