OAuth and OpenID Security Flaw may Affect Twitter and Digg Login

Home » Open Source Software

OAuth and OpenID: Serious Security Flaw Discovered

By Chinmoy Kanjilal on July 16th, 2010

According to Nate Lawson and Taylor Nelson from Root Labs, OpenID and OAuth, used to authenticate third party web applications and desktop applications to use web services like Twitter and Digg are under a risk of a severe security threat. In fact, the security flaw affects a host of other open source authentication services. The matter will be brought up at an upcoming security conference.

open-id-security

The flaw is based on the very controversial timing attack according to which, the attacker checks for the time required to analyze signatures and estimates if the first few characters of his attempted signature is correct or not. This process, if repeated can lead to a successful hack in theory. However, in practice, it is very hard to carry out or, that was the common belief until three years ago.

Three years ago, a timing attack was used to hack into Xbox and the people who did this became geek gods. However, that was a direct interaction with the host. In case of a network, we need to consider many factors like network load, jitter and a varying latency.

What is remarkable is that Lawson and Nelson have claimed that they have executed this on a network as well as on a cloud and have gained sensitive information successfully. Any further details on this will be revealed at the upcoming BlackHat conference at Las Vegas.

(Source)

Tags: Digg, Security, Twitter

Author: Chinmoy Kanjilal

Chinmoy Kanjilal is a FOSS enthusiast and evangelist. He is passionate about Android. Security exploits turn him on and he loves to tinker with computer networks. He rants occasionally at Techarraz.com. You can connect with him on Twitter @ckandroid.

Chinmoy Kanjilal has written 1062 articles for us and can be contacted at chinmoy@techie-buzz.com.