Search Mailing List Archives

Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] UPDATE - Re: potentially major security flaw in twitter

Brian Conley brianc at
Thu Dec 22 11:29:40 PST 2011

Hi all,

So an update. Essentially I've run into what some of you have probably
previously mentioned, the impact of the OAuth protocol.

For an uninformed user of twitter, OAuth can cause them to provide access
to their twitter account from secondary devices even after changing
passwords at the source.

Obviously this has huge implications for citizen journalists, activists,
and human rights workers among others. Anyone who is detained and whose
twitter passwords become compromised (as well as other applications, i'm
guessing the facebook app for iPad also uses OAUTH, though it may just
store the password) is at risk of providing ongoing access to these apps if
they fail to remove the OAuth authorization after changing their passwords.

Does anyone know of resources that have been produced to raise awareness
about this issue, or similar issues? I'm wondering whether Small World News
should put some effort into developing a more comprehensive social media
security 101 that considers these technical issues as well as general best



On Wed, Dec 21, 2011 at 5:38 PM, Brian Conley <brianc at>wrote:

> Hi all,
> So I don't really want to broadcast this to an entire list of people whom
> I don't know, but I've found what is potentially a huge flaw in twitter's
> security architecture. Can any of you connect me directly with someone at
> Twitter who is involved with security?
> I will be happy to brief the list once its fixed.
> Brian
> --
> Brian Conley
> Director, Small World News
> m: 646.285.2046
> Skype: brianjoelconley
> public key:


Brian Conley

Director, Small World News

m: 646.285.2046

Skype: brianjoelconley

public key:
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the liberationtech mailing list