Archive for May 18, 2011

Wednesday, May 18, 2011 [Tweets] [Favorites]

Twitter Requiring OAuth for Direct Messages

John Gruber:

I can’t think of any reason why Twitter would force native apps through OAuth other than to create a hurdle that steers users toward Twitter’s own official native clients. Because Twitter’s official clients aren’t going to force users to jump through OAuth to authenticate — they’re still going to simply ask for your username and password in a simple native dialog box.

Loren Brichter:

Time to be frank: any security that OAuth claims – with respect to native applications – is an illusion. If a native app wants to get a copy of your password, it will get a copy of your password. If it wants to hijack the authentication process, bring up a bogus “browser” for you to enter a password into, register keyloggers, muck with your system web proxy settings and sniff passwords before they hit the wire, or phish you some other way, guess what: it can and it will. OAuth does not solve these problems. It just adds complexity to the login process.

Update (2011-05-19): Macro Arment:

Oh, and one more thing: formerly-xAuth apps that need DM access have only 12 days to build this completely new login interface, test it, and release a new version — and, for iOS and Mac App Store apps, get it approved — before their existing apps start being denied access to DMs and probably display confusing and incorrect error messages, since the developers could never have foreseen this condition. Such aggressive timing is definitely a dick move.

Twitter has since extended the deadline to June 14, but that’s still rather short notice.