If you’ve ever had someone gain unauthorized access to your online accounts, you know how frustrating it is. Not only do you have to reset your password for that account, you also have to reset all the other accounts that use the same password (even though you’ve been told a million times not to do that).
To solve this problem, Twitter, Facebook, LinkedIn, Gmail, Google Analytics, Google Apps, and many others use OAuth to allow users to keep their passwords and core account information away from applications built for those platforms. OAuth describes it in this way (I also wrote a more in-depth post about OAuth on my own blog):
“Many luxury cars today come with a valet key. It is a special key you give the parking attendant and unlike your regular key, will not allow the car to drive more than a mile or two. Some valet keys will not open the trunk, while others will block access to your onboard cell phone address book. Regardless of what restrictions the valet key imposes, the idea is very clever. You give someone limited access to your car with a special key, while using your regular key to unlock everything.”
For sites like Twitter, using OAuth means that applications like Tweetdeck can connect to your account and access a wide range of options but cannot change your username, password, email address or phone number. Once connected to your Twitter account via OAuth, Tweetdeck can do many things (tweet, re-tweet, @ reply, DM, search, etc.) — but it can’t change important account settings. Tweetdeck never gets your Twitter password.
For the majority of us, this is a great setup. We keep our password secure by not sharing it with every app that needs access, and we can change our password and not have to reauthorize every app that we use.
The Backdoor is Open
But those of us that have our accounts broken into aren’t as lucky. Changing your password may not be enough after a break-in. The benefit of OAuth becomes a hidden-in-plain-sight back door into your account if the attacker attached any app to your account. While your core information is secure, and the password you have set up is no longer known to the attacker, your account can still have its status updated, posts deleted, direct messages read/sent/deleted via these authorized applications.
Get it? Because you’ve changed your password, the attacker can’t access your account directly anymore, but — if they’ve attached apps to your account — they may still be able to access your account via those authorized apps. Crazy, right?!
This is extremely important for companies and brands since brand image can be deeply affected by not only accidental tweets by authorized users, but can be even more damaged by intentional tweets from unauthorized users.
What to Do
If you’re changing your password due to a break-in, you should also revoke the access of all apps that are connected to your account. Below is a list of commonly used sites that use OAuth for application access to the service. The link is to the OAuth listing for each of the sites.
- Google Accounts (this is for all Google services)
Even if you don’t think your account has been accessed, it’s a good idea to check your accounts on a regular basis and revoke access to any apps that you no longer use, or don’t recognize. Ever seen weird status updates on your friends’ Facebook pages? Often, it’s because their account has been breached because they unwittingly gave access to a shady application. While Facebook tries to police this kind of thing, the best defense is a good offense.
- OAuth is awesome!
- Check your accounts regularly and prune applications to prevent account breaches.
- If your account has been broken into, change your password and revoke access to applications. Then, go back and re-authorize apps that you want to use.