What People Don't Understand About OAuth and Twitter

(Cross-post from my Posterous)

Here’s a nifty “feature” of OAuth that most Twitter users aren’t aware of:

When you grant an application access with OAuth, you are giving them the same power you would with your username and password.  

The main difference is that instead of a password that was chosen by you, a secret key generated by Twitter gives them access to your account. They can still add or remove followers, send DMs on your behalf, or post tweets, or replies. When you give an app permission with OAuth they get to be you on Twitter, exactly as if you had given them your password. 

There have been a lot of vague promises made that have led people to believe they are safer but that is not true.

At least Facebook tells users what it is that they are authorizing. This implementation of OAuth is dubbed “extended permissions.” You are notified of which permissions the app needs and individually asked to authorize them, such as the ability to post on your wall or manage the Fan Pages you control. Twitter has chosen to make their implementation as granular as only “read” versus “read/write.”

So I asked the readers over at Scripting.com a simple question, “Do OAuth apps first need to be approved by Twitter or can I throw together an app that once you authorize will do nothing more than hijack your account?” The answer? Nothing short of alarming:

You can throw together anything you like. Twitter doesn’t have access to your source code. Once you can trick people into using your app, it can do whatever it wants with your account. (via: tlack)

Wow.

I must admit that I did not know that. I assumed that their must be some sort of approval from Twitter. I am surprised that more malware OAuth apps have not been developed.

Read more at Scripting.com.