1

I'm working up a website that, among other things, connects to Twitter through its OAuth interface. I have so far been pretty sloppy about dealing with the security of my access tokens and the like, and it's time to fix that. Thus my question -- trying to understand what's the Right Thing to do here. (Twitter is a real concern for what I'm doing, but I'm sure that dealing with Facebook and other similar services, OAuthed or not, would have similar issues.)

Looking at the site overall, it seems that I'm dealing with at least the following things that have security implications:

  • My database's name, username, and password
  • The consumer key and consumer secret for my Twitter application
  • The username, access token, and access token secret for the user that the site will use to talk to Twitter
  • For each of the site's users, their Twitter access token and access token secret

So -- what's the right thing to do with all this stuff? I could offer suggestions about what I think should happen, based on the different kinds of attacks one could imagine, but it's probably better if I just plead complete ignorance (rather than my more probable 90% ignorance?) and see if there's anything in the way of consensus or best practices out there. I'll accept flames for my security newbieism, but techniques for losing my newbie status would be more appreciated. Thanks very much!

Jim Miller
  • 3,291
  • 4
  • 39
  • 57
  • Looks like a dupe of http://stackoverflow.com/questions/1878830/securly-storing-openid-identifiers-and-oauth-tokens – DMCS Feb 14 '12 at 22:20
  • 1
    Useful indeed; thanks for the pointer. However, the discussion is a little frustrating in that it doesn't seem to really come to a conclusion about what SHOULD be done. Do you have any advice? For instance, if I encrypt the tokens, where can I put the encryption key that doesn't open up the same kinds of holes I'm trying to plug up? – Jim Miller Feb 15 '12 at 01:45
  • This one should be closed as it is a dupe. All comments/answers should be listed under that question. This site is like a wikipedia of programming issues. Each question should only be asked once. – DMCS Feb 15 '12 at 15:56
  • @JimMiller I deleted my answer as I'm not sure it directly applied to OAuth, and this question is a duplicate. – Hope4You Dec 14 '13 at 15:33

1 Answers1

0

Usually, OAuth tokens are pretty secured. They are very difficult to steal, and even if you steal them it is doubtful you'll be able to use them.

In any case, I would recommend using this encryption: https://github.com/offensive-security/exploit-database/blob/master/platforms/multiple/local/24923.txt

They guys at https://www.offensive-security.com/ built it so I'm guessing it's pretty tight and comprehensive.

Eli Rotenberg
  • 41
  • 8