This post is mainly a response to this: http://www.louisgray.com/live/2008/11/twitterank-can-have-my-password-no.html
At Twitpay, we obviously needed to work with Twitter, and since they don’t yet offer OAuth (or something similar) yet, we explored the options
on how best to do this. There has been a proliferation lately of sites that ask you to provide your username and password to other sites in order to exploit some sort of functionality, usually searching through your address book. While this tradeoff of security for convenience may be worth it in the short term in order to “get something done”, unless you are using a different password for every site you visit (which is not the case for the VAST majority of users), it is NEVER a good idea.
Perhaps we would be best served by giving a couple of more basic email based examples. First, let’s assume you are a new MySpace user (and, to be fair,Facebook has the exact same procedure) and you have just registered for your account. The second step they offer you, after you add a picture, is to enter the password for your email account (GMail, Yahoo, Hotmail, etc.) They also include a caveat that says that “MySpace will not store your email login information.” Well, that’s all well and good but the user has exactly zero ways of verifying that bit of information. So from a user’s perspective, your email username and password are now out in the wild and can no longer be trusted to be safe.
Here is where the situation gets ugly as there a lot of sites getting into this method of “faux authentication”. If someone manages to hack into any one of their systems, the user is at risk. Because even if the site abides by their statement that they do not store the user’s credentials in the database, I bet there is a fair to even chance that at least some of them will have that information show up in the web or application server logs.
If that is the case, then the first thing that will happen is that your account will be used as a spam generator. This is a pain, but it’s not going to ruin your day. The real trouble begins when the attacker begins to farm that email account for information. Unless the user has used that account as a throwaway only for registrations, in all likelihood the attacker can now mine the account for your real name, your address, and enough other information about you to effectively steal your identity. Second, it is probable that they now have access to your bank account and other financial data as the majority of people do not use different passwords for different sites. Their email password is likely the same password as their banking password. At that point the game is effectively over.
This principle also extends past email usernames and passwords as well. The most recent example we can see of this is with Twitterrank, discussed here: http://blogs.zdnet.com/collaboration/?p=163. Most people immediately think, “I don’t care if someone steals my Twitter account” or at least they care very little, because who cares if someone tweets on their behalf in the sort term.
The problem is much larger than that.
First, Twitter has an open security hole documented here: http://brianshaler.com/blog/2008/11/23/twitter-security-issue/. Basically, if some hacker manages to get your username and password and log in to Twitter before you are able to change it, they effectively have permanent control of your account. Changing your password does no good because they have a cookie that establishes them as you.
The second issue here is one of very basic data mining and social engineering. Passwords are a poor mechanism for security in and of themselves, as written about here by Schneier: http://www.guardian.co.uk/technology/2008/nov/13/internet-passwords. And because multiple passwords are difficult to manage, people tend to use the same passwords for every site. So once we have either successfully attacked a site that is storing Twitter usernames and passwords, or have set up a fake application to gather them, it is trivial to figure out people’s emails from that list and to then begin seeing if their email accounts use the same or a similar password. And once we establish the ones that do, we then again have the keys to the castle, as we mine the email for personal and financial info.
If a large number of sites start asking for usernames and paswords, users will get used to providing this kind of information to third parties. Once they are so conditioned, it will be easy to launch scams that ask for these credentials. Each new site that asks for this kind of information contributes to a future situation in which users have been trained to give their password out to anyone who asks for it. Its like environment pollution. Individual sites don’t create this overall conditioning, but it contributes a small part to a bigger problem.
My next post will talk about better ways to handle sites gracefully that do not offer Oauth or something similar as a mechanism to access their data. I can be reached on Twitter @tensigma.