do-plugins team mailing list archive

Thread
Date

[Bug 515838] [NEW] Microblogging authenticates with Twitter insecurely

To: do-plugins@xxxxxxxxxxxxxxxxxxx
From: saniac <stephen@xxxxxxxxxxxx>
Date: Tue, 02 Feb 2010 03:42:51 -0000
Reply-to: Bug 515838 <515838@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

*** This bug is a security vulnerability ***

Private security bug reported:

It looks as though the microblogging plugin is authenticating using
Basic Auth and plain HTTP.

This is vulnerable to snooping. For example, my friendly local sysadmin
happened to see my password going past during an audit.

Furthermore, Twitter has deprecated basic Auth and recommends that OAuth
be used (ie a user is verified once, and from then on a token in passed,
not the original password). See http://apiwiki.twitter.com/Security-
Best-Practices#UnencryptedCommunicationnoSSL

At the least the plugin should use the https url to log in. Better, it
should use OAuth.

** Affects: do-plugins
     Importance: Undecided
         Status: New

-- 
Microblogging authenticates with Twitter insecurely
https://bugs.launchpad.net/bugs/515838
You received this bug notification because you are a member of GNOME Do
Plugins Team, which is a direct subscriber.

Follow ups

[Bug 515838] Re: Microblogging authenticates with Twitter insecurely
From: saniac, 2010-05-15
[Bug 515838] Re: Microblogging authenticates with Twitter insecurely
From: saniac, 2010-05-15
[Bug 515838] Re: Microblogging authenticates with Twitter insecurely
From: saniac, 2010-02-02
[Bug 515838] [NEW] Microblogging authenticates with Twitter insecurely
From: saniac, 2010-02-02

References

[Bug 515838] [NEW] Microblogging authenticates with Twitter insecurely
From: saniac, 2010-02-02