Twitter Turns to OAuth for Application Authentication

Twitter has migrated to OAuth for authentication, meaning third-party apps will no longer have to store and send user credentials over the Internet when the application is used.

Twitter has completed its move to OAuth for authentication for all third-party applications.

OAuth allows people to use applications without them storing their passwords. In the past, Twitter officials explained in a blog post, developers have been able to choose between basic authentication and OAuth to enable Twitter applications to access user accounts. Both methods require the user's permission, but with basic authentication, users must provide their password and username for the application to access Twitter and the program has to store and send the data over the Internet each time the application is used.

"With OAuth, you still individually approve each application before using it, and you can revoke access at any time," according to Twitter. "To see which applications you have authorized or to revoke access, just go to the Connections section under Settings."

"One thing to note-to continue to use your favorite applications, you should make sure you are running the latest version of the app," the company continued. "Otherwise, you may soon find that it doesn't work anymore."

The plan to change from basic authentication to OAuth has been known for several months, as Twitter announced in December it would migrate to OAuth and stop supporting basic authentication. Attackers, however, appear to be trying to capitalize on the change, and were observed today pushing a fake TweetDeck via hacked Twitter accounts. The update is actually a Trojan.

"The bogus TweetDeck updates are taking advantage of some of the confusion surrounding Twitter's switch to using only OAuth for third-party applications," said Richard Wang, manager of SophosLabs US. "Users of TweetDeck and any other tools should be wary of unverified and anonymous links and only obtain updated software from the application's own download site."

The real version of TweetDeck is already using OAuth, as are applications such as Seesmic, Twitterrific and Echofon.

To Wang, OAuth is key to the safe use of services like Twitter because it keeps log-in and password details encrypted when accessing services using third-party tools.

"Without OAuth it would be very easy for anyone monitoring your network traffic to steal your log-in and password details and take control of your Twitter account," he said.