Skip Links

OAuth 2.0 security used by Facebook, others called weak

The OAuth 2.0 API security protocol also used by Salesforce.com may be too easy to crack, critics contend

By Joab Jackson, IDG News Service
September 22, 2010 04:11 PM ET

IDG News Service - The emerging OAuth 2.0 Web API authorization protocol, already deployed by Facebook, Salesforce.com and others, is coming under increased criticism for being too easy to use, and therefore to spoof by malicious hackers.

"The OAuth community has made a big mistake about the future direction of the protocol," wrote Yahoo director of standards development Eran Hammer-Lahav in a blog post last week. Hammer-Lahav's criticism may carry more weight than those from the usual naysayer, because he is actually one of the creators of OAuth.

"What makes this more frustrating is that the people behind [OAUTH 2.0] are some of the brightest security minds on the Web. These guys know exactly what they are doing, and it's not like they don't care," Hammer-Lahav wrote. "They just gave up and decided that the best they can do is maintain the status quo. They are also representing a large and powerful coalition of big companies too lazy to work a little harder."

Hammer-Lahav's words may strike an ominous chord, given how both public and enterprise-based Web services are rapidly adopting the draft IETF (Internet Engineering Task Force) standard as a way for Web services to share data. The final version of the specification, which has been authored by engineers at Google, Microsoft, Yahoo, Facebook and others, is expected this fall.

On Sunday, a Salesforce.com engineer announced on the OAuth developer mailing list that the cloud-based enterprise software service was rolling out support for OAuth 2.0. In August, Microsoft added OAuth 2.0 as one of the options for access control for its Azure cloud platform.

Facebook now uses OAuth 2.0 as the preferred method for third-party apps to draw user information from the service. The open source Drupal content management system is building out support for OAuth 2.0 as swell.

Another potential user may be Twitter, which just converted to OAuth version 1.0a at the beginning of the month. Rumors have abounded that the service will move to version 2.0 though thus far engineers have remained quiet on the possibility.

OAuth provides a method of third party authentication that allows Web services to share data through their APIs (application programming interfaces). A user establishes an account with one service, and a server from that service can provide others services with tokens that can be used to access that data. So a user with a Facebook account, for instance, can approve a third-party application to access some of his or her Facebook information, without actually providing the service with a log-in name and password.

The current version of OAuth, version 1.0a, has been criticized for weaknesses, most notably that it is difficult for developers to implement.

OAuth 2.0 aims to simplify this complexity. "The challenge for the developers is that they have to go and write all this signing code," noted OAuth 2.0 co-editor Dick Hardt, in an interview with the IDG News Service earlier this year. Version 2.0, originally called WRAP (Web Resource Authorization Protocol), also helps cut down administration on the server side, since the server doesn't need a directory of all the parties that have been issued keys.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News