Security

Understanding OAuth: What Happens When You Log In

Logging into another site with your Google, Twitter or Facebook account isn’t just convenient, it’s more secure than creating a new account or entering your Google, Twitter or Facebook password into a third-party site. That’s where OAuth comes in. Here’s how it works and how it keeps your passwords safe on third-party sites.

Yesterday, a Twitter app called Tweetgif was hacked, releasing user information for 10,000 Twitter accounts to the public. However, no Twitter credentials were compromised, because Tweetgif used something called OAuth. If you’ve ever logged into a third-party website with your Google, Facebook or Twitter account by granting the app permission to that respective account, then whether you knew it or not, you’ve used OAuth, and it’s a great way to dole out permissions.

How OAuth Works

Lets say you want to use an app like Tweetgif to post funny, animated GIF files to your Twitter account. In order to do so, you need to give the Tweetgif app access to your account so it can get your info and post tweets on your behalf. In the old days, you would have to give an app like Tweetgif your Twitter username and password so it could log in and access those services. You not only had to trust them to use those credentials wisely, but also to keep them safe from hackers — that’s a pretty big leap of faith. It’s like giving your house keys to a stranger and trusting them not to make copies for all their friends and steal all of your stuff.

OAuth gets around this problem by only giving them access to the stuff you want them to access. Instead of asking you for your password, this happens:

  1. In order to become a Twitter app, Tweetgif has acquired two tokens from the Twitter service: a “Consumer Key” and a “Consumer Secret”. These are what create a connection between the consumer (in this case, Tweetgif) and the service provider (in this case, Twitter).
  2. When you visit Tweetgif and ask it to access your Twitter account, it will redirect you back to Twitter. If you aren’t logged in to Twitter, you log in now (remember, you’re giving your username and password to Twitter itself, not to Tweetgif).
  3. Twitter then asks you whether you want to authorise this app, and tells you what permissions its giving to the app. Maybe it can view your timeline, or maybe it can view your timeline and post on your behalf. In some cases, you may only be giving it access to your username and avatar. When you click the “Authorize” button, it creates an “Access Token” and an “Access Token Secret”. These are like passwords, but they only allow Tweetgif to access your account and do the things you’ve allowed it to do.

Thus, instead of giving the keys to your entire house, you’ve given a special key that only opens the one room you want them to access. But in order to use this key, they have to go get it from the guard, and he can take it away from them at any time.

So Should You Use OAuth?

So why is this better than just entering your Twitter credentials? Obviously, this keeps third-party apps from doing shady things you don’t want them to do, but more importantly, it means that even if they get hacked — like Tweetgif was yesterday — your Twitter password is still safe. The hackers would still be able to post on your behalf, follow people or do whatever else you’ve given Tweetgif access to do, but all you need to do is go to your Twitter settings and revoke access to that app. That way, your tokens become useless and your account is under your control again, without even having to change your password.

The big downside with this new trend is that some sites might let you log in using Facebook or Twitter and will try to post to your profile, even if it isn’t really necessary. Some sites don’t let you just create an account — they make you log in with Facebook or Twitter. It’s convenient, since you don’t have to create an account, but then it tries to post to your profile about what you’re doing on their site. Similarly, Google doesn’t really tell you what permissions you give away when you use OAuth. To avoid problems, make sure you read the privacy policy of every app you link, and if you can, pay attention to the permissions each app is granted. If it does something you don’t want it to do, just don’t use the app. Or, alternatively, see if it has an option to turn that “feature” off in the app’s settings. And, as always, be sure to regularly prune your authorised apps so you don’t run into trouble — if you haven’t used one of them in a while, you’re probably better off getting rid of it completely.