Twitter @anywhere security hole?
I'm developing a Twitter Application on a Web-Page based on @anywhere.
I think of @anywhere as the Twitter version of the Facebook Javascript SDK (maybe that's where I'm wrong).
Anyway, the thing goes like this.
You put "Connect With Twitter" code on your webpage, and if the user is logged in with Twitter and authorizes your application then you can do whatever you want with that.
So if @user_a is logged in with his Twitter account and visits your website, you can do some fancy stuff like showing @user_a followers or tweet to their account or whatever.
The problem develops like this. Suppose that @user_a is alredy logged in into your app, then @user_a logs out of twitter (because it was a public computer :/) and then someone else comes and logs in to Twitter as @user_b. If @user_b goes to you开发者_高级运维r @anywhere web-page IT will see everything as if @user_a is logged in! D:
Twitter says that all that is fine, because everything is based on a cookie AND you should provide a button for the person to log-out of YOUR site from @anywhere. To me that sounds impractical, because if you (user) would want to stop using twitter you just sign out from the webpage and that should be all (like on Facebook); you shouldn't remember, whose sites you already have connected to Twitter, and pay them a visit to sign out from those, just to protect yourself from someone else using your account. And, to make things worse, that cookie could be easily stolen and well you know the rest of the story.
Am I doing something wrong? Am I thinking of the @anywhere API as something different than what it was intended to be?
@anywhere doesn't advertise itself as a SSO so it doesn't need a Single sign-off mechanism. The idea is to use @anywhere to log into other sites at which point it becomes those sites responsibility to handle sessions including when to sign the user out. Just like if a user logs into site a and site b with two different passwords it is their responsibility to sign of each site.
While @anywhere tokens left that are left active can allow follow up users the tokens are only active for a few hours limiting the potential damage.
精彩评论