A hacker allegedly leaked the login information of 15,000 Twitter accounts Tuesday, but not by obtaining the passwords. Instead, the hacker reportedly accessed the tokens from third-party accounts.
Immediately, Twitter and media outlets encouraged users to head to their Twitter accounts and lock down security.
What is Twitter OAuth?
According to the OAuth site, it is "an open protocol to allow secure authorization in a simple and standard method from web, mobile and desktop applications." Basically, OAuth is an authorization tool that approves third-party applications to use and access your Twitter account, without you having to share your password.
OAuth easily provides third-party apps access to your Twitter account, typically a convenient way to merge your various social properties and unify your online identity. It's particularly useful if you want to tweet directly from third-party apps like Hootsuite or Instagram, for example. Additionally, OAuth lets third-party apps access your account without learning your password, so it's typically a safe way to maintain your accounts without sacrificing your login information.
How do apps use OAuth?
In order for a third-party app to use OAuth, it must obtain an access token from you, the user, which essentially grants permission to act on behalf of your account. This will then allow the app to make "calls" to Twitter's APIs.
An app can obtain access tokens in a number of ways, the most popular of which is probably a "Sign in with Twitter" button on its third-party site. Once you approve a third-party app, you grant the app a token. These tokens do not expire but will be invalid if you explicitly revoke access from the app, or if a Twitter admin suspends the app's access.
How do I keep my OAuth apps secure?
Maintaining regular housekeeping of these approved apps will not only monitor how many apps have access to your account, but will also prevent hacks due to extremely old tokens.
Because these tokens won't expire unless you revoke access, it's important to routinely go through the third-party apps you've approved. You can find them on your Twitter's Application Page under Settings. Once you revoke access from an app, that doesn't mean you can't link those two properties again. You'll simply get a brand new token if you grant that app access again.
You can also easily revoke access to iOS integration on all your devices directly from the web. Navigate to Twitter Settings > Apps > Revoke Access, under the iOS by Apple app. This will prevent your phone from accessing your account via third-party apps, a useful trick if your phone is ever stolen.
You should also be wary of third-party apps that look suspicious, and be careful not to share your login information. The only apps that may safely require your username and password are installed apps you use to tweet directly from your desktop or phone. Most others should never require direct access to your login information.
No comments:
Post a Comment