I’ve been seeing various announcements and trials over the last few weeks, but it seems that the wait is over and Twitter finally officially supports OAuth. This means that there is no longer any reason for third party web sites to store your Twitter password if they want to interact with Twitter on your behalf. This closes a security hole that I’ve been going on about for months.
Well, except, the security hole hasn’t actually been closed. The third party applications still have the option to use the old authorisation mechanism. It wouldn’t, of course, be fair for Twitter to force all of the third party applications to change their authorisation code overnight. Twitter say:
There is no requirement to move to OAuth at this time. If/When a date is set for the deprecation of Basic Auth we will publish a notice on the API Development Talk. We will not set a date for deprecation until several outstanding issues have been resolved. When we do set a date we plan to provide at least six months to transition.
So you can still use the old, and broken, authorisation mechanism. But over the coming days and weeks we should see fewer and fewer applications using it. And there’s no excuse at all for new applications to use it.
I’m looking forward to using some of the Twitter add-ons that I’ve been avoiding for security reasons. I’ve already turned on Twitterfeed (which, as far as I can see, was one of the first applications to make the switch) and I’m planning to take closer look at Ping.fm just as soon as they switch over.
As a user of these applications there are a couple of things that you can do.
- Check the services that you are using to see if they have switched to using OAuth. You’ll know if they have as you’ll know longer be prompted to enter your username and password. Instead you’ll be shown a page on the Twitter site and asked to authenticate the application to interact with Twitter on your behalf.
- If your services have switched to using OAuth then do what ever you need to do in order to stop using the old mechanism. I can’t really explain what form that might take as I’ve never had to do it. Then change your Twitter password so that your current password isn’t still in someone’s database in plain text.
- If services that you use haven’t switched to using OAuth yet, then give the developers a gentle prod and tell them that you’ll be far happier using their service once they’ve made the change. Maybe even tell them that you’ll stop using their service until they’ve made the switch.
I’ve been quite harsh in my criticism of Twitter for encouraging this horrible antipattern to become so acceptable across the internet. I still think that it was a terrible design decision on their part and that they have taken longer than necessary to respond to the criticism they have received from several people. But I’m glad that they’ve now introduced OAuth and I hope that we can all do all we can to assign the old-style authenication to the dustbin of history as soon as possible.