An Insider’s View on Product Management

April 26, 2009

On OAuth vulnerability and open standards

Filed under: Product Management,Technology — Gregory @ 7:51 pm
Tags: , , ,

OAuth is the protocol of choices for delegating authorization access in the Open APIs world. As a user it allows me to share private resources stored on one site with another site without having to hand out my username and password. The protocol is commonly supported by companies like MySpace, Google, Yahoo and Twitter on their Open APIs. Last week, a vulnerability was discovered in the OAuth protocol. The identified security threat is known as a session fixation attack. You can find more details about the attack’s specificities in Eran Hammer-Lahav’s excellent post. The Oauth community reacted quickly and did a fantastic job in handling the situation. It was an impressive display of individuals, small and big companies working together for solving the issue. Among the heroes, Eran masterfully coordinated the community’s response; Twitter generously accepted to shut down its OAuth service, and take the blame from its users’ base to avoid suspicions. Google, Yahoo and others offered time and resources to help solving the problem… The story is better told in Marshall Kirkpatrick’s blog.

On the other hand, the incident also showcased the difficulties in managing serious incidents for open standards. When the vulnerability was first identified and acknowledged, there were no procedures in place to alert the community and manage the issue. OAuth’s website contains a list of companies that have implemented the protocol, but this list is incomplete and does not contain contact information. Consequently, the initial alert sent by email missed numerous companies; some companies were not listed or contacts information were incorrect. Similarly there were no designated leaders to drive the community response. Fortunately Erin stepped up to the task and others followed suit.

A related issue for open standards, is the lack of enterprise vendors’ support. Traditional software vendors -Microsoft, IBM, Oracle…- do not offer commercial implementations for OAuth and do not contribute to the specification. An enterprise software architect who wants to add OAuth support, does not have many options and often ends up directly reusing the open source libraries developed by the community, even if his team misses security knowledge and training to use the libraries properly. As a result there are almost as many OAuth powered services as there are -slightly- different implementations of the protocol. This raises some valid security concerns… By contrast, an enterprise willing to support other trust protocols such as SAML and WS-Trust can rely on structured standard organizations and a variety of vendors. In case of incidents, the enterprise can also be assured that processes are in place to cope with the situation and that communication channels are properly defined.

In conclusion, because of OAuth members’ dedications, the incident of last week ended up as a great and inspiring story. However this episode also outlined some of the weaknesses and sometimes relative immaturity of open standards. OAuth clearly suffers from a lack of processes to respond to urgent situations, as well as a lack of support from recognized software vendors. Those vendors are primordial to bring legitimacy to standards protocols and to define proper governance processes in case of incidents. Until governance and maturity issues are addressed, OAuth will have trouble to prosper and get adopted beyond the Web 2.0 crowd… and enterprises should be careful, before jumping too fast on the bandwagon.



  1. […] Paperback Writer put an intriguing blog post on On OAuth vulnerability and open standardsHere’s a quick excerptTraditional software vendors -Microsoft, IBM, Oracle…- do not offer commercial implementations for OAuth and do not contribute to the… […]

    Pingback by Topics about Microsoft » On OAuth vulnerability and open standards — April 26, 2009 @ 9:41 pm | Reply

  2. […] A lot has been happening with OAuth recently. Not all of it has been good — a security hole was discovered in the protocol which exposes it to a potential “social engineering” attack. Right now would not be the best time to deploy a new API that uses OAuth — in fact, my colleague Gregory Haardt is also advising a little caution. […]

    Pingback by Brail’s Blog » Implementing OAuth — Take care with those keys! — May 1, 2009 @ 2:56 pm | Reply

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Create a free website or blog at

%d bloggers like this: