Last week, I decided to take a stab at implementing a basic OAuth consumer in order to integrate Twitter Karma with Twitter using OAuth. I’d read through the OAuth 1.0 specification before, but never closely enough to realize that there was a serious attack vector in it. So, I mentioned this on the twitter-development-talk mailing list, hoping to get some answers on April 16th:

Also, the redirect to the callback URL has no signature. What stops an attacker from brute-force attacking an OAuth consumer, iterating through posisble tokens? Simply the large search space of valid OAuth tokens? Even if it’s only “possible in theory” … some teenager with nothing better to do is going to eventually turn that theory into practice.

My concern was met with confusion so I brought the concern to the OAuth mailing list (also) on April 17th:

Currently, the OAuth callback URL is susceptible to replay attack and token shooting. Signing it would eliminate this in a very low-effort way.

…

[...] it’s very desirable to be able to tell if the callback was legitimate or either a replay attack or a brute-force token shooting attack.

Even client-side browser cookies may not win here if a simple session fixation attack is coupled with the token shooting attack.

I wasn’t sure if I was being understood, either, but then a few days later on April 20th, Twitter yanked their OAuth support offline.

Eventually, an OAuth security advisory 2009-1 was published on April 23rd that clearly states “A modified specification to address this issue is forthcoming” as I pointed out was necessary, and Eran Hammer-Lahav writes a thorough explanation of the problem in his blog. The money quote:

If we put it all together, even if an application:

• Makes sure to use the account of the user coming back from the callback and not that of the one who started
• Checks that the user who starts the process is the same as the one who finishes it
• Uses an immutable callback set at registration

It is still exposed to a timing attack trying to slide in between the victim authorizing access and his browser making the redirection call. There is simply no way to know that the person who authorizes is the same person coming back. None whatsoever.

This is exactly why the callback URL that the OAuth provider uses to redirect the user back to the OAuth consumer needs to be signed.

So, why am I making a big deal out of all of this? Well, I’m irked. Coincidentally, their “discovery” of this issue conveniently coincided with my raising of the issue publically on the mailing lists, yet nowhere is my name mentioned in any of this. In my opinion, that’s really poor form in an “open community” where often the only compensation for effort is recognition. It’s this kind of back-handed treatment that encourages people to demonstrate these security concerns through actual working exploits, which benefits no one but guarantees the creator their recognition.

In the end, I’m glad that this issue is going to be addressed and hopefully in a timely fashion because all of us developing applications in the public software ecosystem will benefit, but I still feel slighted. I’ll get over it, while I wait for the OAuth 1.1 specification.

Tags: OAuth, Twitter, security

This morning, I got a spam email with this subject line:

We are too lazy to change subjects every day, please buy our viagra

Wow, has it really come to this? Is there anyone left on this planet who wants to buy Viagra that doesn’t know how to get it, that spam like this has a non-zero conversion rate?!

I think spammers are now just sending spam to prove they can do it these days. They’re probably distributing URLs that link to sites that serve malware that exploit browser vulnerabilities simply to grow their botnets, under the guise of Viagra spam.

I’m waiting for the day when these botnet owners start distributing code to do large-scale grid crypto cracking. Imagine what kind of crypto you can brute-force in near-realtime with a grid of a few hundred thousand modern computers? That’s a supercomputer that no single organization could probably afford to purchase and manage.

Tags: Viagra, spam, hacking, distributed computing

Depression is a funny thing sometimes. I deal with intense feelings of loneliness a lot more often than I’d like to admit. What’s strange is the fact that I know hundreds of people. I talk to dozens of people online every day, by email, instant messaging, social networks and other ways. From the outside looking in, I appear to be constantly surrounded by people, at least virtually. Yet, I feel incredibly isolated, very alone, intensely lonely.

I’ve been seeing various therapists regularly for the past five years. I’m on two different anti-depressants (Paxil and Wellbutrin) and I take them daily. Perhaps I’m on the wrong medication or I need to add something else to the cocktail. Whatever the case, I’m actively seeking ways of trying to fix this problem. But, the intense feelings of loneliness start to trigger despair, and that just makes it that much harder to cope and try.

I recently wrote, “Sometimes, I really hate being me.” I don’t think anyone who read that really understood what I meant. I don’t know how to explain it. A therapist I saw for two years, who had been practicing for probably close to twenty years, finally said to me, “I don’t even know how to classify you.” I know that this quote is vague and lacks sufficient context, but he understood the gap that isolates me.

I’ll try writing more about this if I can bring myself to do it … I’ve wanted to write this for years, but every time I sat down to try, the words just wouldn’t come. Right at this moment, I’m determined to try and push through that barrier and finally write some of this down.

Tags: depression

Are you a student that meets Google’s eligibility criteria, who is interested in contributing to an Open Source project this summer? Google’s Summer of Code 2009 is on, and once again, the Tcl community has been accepted as a mentoring organization, which includes AOLserver.

Students can apply until the deadline of 19:00 UTC on April 3rd. If you have any questions about GSoC or AOLserver’s involvement in it, please ask me! I’ll try to help answer whatever questions you might have.

Good luck to all the students and mentoring organizations this summer!

Tags: Google Summer of Code 2009, Tcl, AOLserver, open source

Things have gotten seriously busy lately. I’ll try to re-cap some highlights:

I’ve just joined the Ridgewood chapter of the Barbershop Harmony Society after being a guest at their meetings for the past few weeks. This is a great complimentary activity to my singing in my church choir. We meet on Monday nights in Wyckoff, NJ, and it is a lot of fun.

We survived the girls’ birthdays again, this year we celebrated at Skylands Ice World up in Stockholm, NJ. Everyone had lots of fun and it just felt good to be out on the ice again. You aren’t allowed to bring in outside food, so I was nervous about the quality of the in-house catering as you effectively have no other choice, but it was surprisingly good! If you or your kids like to skate, this is definitely a place I’d recommend for a party.

Work has been keeping me busy and engaged as usual, working on developing products that will generate serious revenue. I really wish I could talk about them in more detail, but I can’t. Perhaps I’ll be able to link to a press release or two, soon.

I recently decided that I’d had enough of the annoying markup that ecto 3 generated and went looking for an alternative. A few people recommended MarsEdit 2 so I gave it a try. Let me put it this way: after 10 minutes of playing with it in my trial period, I bought it. It’s somewhat unfortunate as ecto was so close to being just right, but the few annoyances really got on my nerves after all this time. I think I would have hung in there except it seems like ecto’s development has pretty much stopped, but when I registered my copy of MarsEdit, I got an email from Daniel Jalkut, thanking me. That seemed like a good sign, you know?

I’ve probably forgotten a bunch of things that I wanted to mention, but at least this is a start.

Tags: Dossy Shiobara