WebProNews

Tag: oauth

  • Microsoft Warns of Phishing Attack ‘Targeting Hundreds of Orgs’

    Microsoft Warns of Phishing Attack ‘Targeting Hundreds of Orgs’

    Microsoft is warning of a new phishing attack that is abusing OAuth request links and “targeting hundreds of orgs.”

    OAuth is an open standard designed to allow services, apps, or websites access to an individual or organization’s information on other services, without the need to provide a password and full access.

    Unfortunately, it appears bad actors are using OAuth request links in a phishing attempt to gain access to users’ email. The bad actors are then able to set up filters to forward emails to another account, with experts warning this may be an attempt to acquire sensitive information.

    Microsoft warned about the issue on Microsoft Security Intelligence Twitter account:

    Microsoft is tracking a recent consent phishing campaign, reported by @ffforward, that abuses OAuth request links to trick users into granting consent to an app named ‘Upgrade’. The app governance feature in Microsoft Defender for Cloud Apps flagged the app’s unusual behavior.=

    The phishing messages mislead users into granting the app permissions that could allow attackers to create inbox rules, read and write emails and calendar items, and read contacts. Microsoft has deactivated the app in Azure AD and has notified affected customers.

    We’re seeing the campaign targeting hundreds of orgs. Microsoft Defender for Cloud Apps, Azure AD, and Defender for Office 365 can help protect against similar attacks by blocking the OAuth consent links or flagging unusual behavior of users or cloud apps.

    — Microsoft Security Intelligence (@MsftSecIntel), January 21, 2022

  • Biden Taps Open Source Dev David Recordon As White House Director of Technology

    Biden Taps Open Source Dev David Recordon As White House Director of Technology

    The Biden transition team has selected David Recordon as the next White House Director of Technology.

    Recordon is well-known in the open source community. He is one of the developers behind OpenId and oAuth, he has served as Engineering Director at Facebook and even served as the first Director of White House Information Technology under President Obama.

    Recordon made the announcement of his appointment on LinkedIn:

    I’m honored to have the opportunity to join the Biden-Harris administration’s White House senior team and am excited to both rebuild past and create new relationships with the incredible teams of career civil servants, active duty military members, and intelligence professionals who make technology work day in and day out for such an important set of missions. The pandemic and ongoing cyber security attacks present new challenges for the entire Executive Office of the President, but ones I know that these teams can conquer in a safe and secure manner together.

    Give his vast, and prior, experience, it’s a safe bet Recordon will be well-equipped for his new role.

  • Gmail Adds Security For Yahoo & Microsoft Accounts On Android

    Last year, the Gmail Android app got a major update that finally enabled users to use third-party accounts, such as those from Yahoo and Microsoft. Now, the app has taken things a step further in the right direction by adding improved security for such accounts.

    On Wednesday, Google announced Oauth support for Yahoo and Microsoft accounts. Here’s what they had to say in a Google+ update from the Gmail team:

    We’re always working to make your Gmail app experience safer, which is why today Gmail is gaining Oauth support for all Yahoo and Microsoft accounts. Oauth adds an extra layer of protection and allows you to take advantage of security features like two-step verification and account recovery.

    Keep an eye out for it next time you’re adding an email account to your Android Gmail app. This update, along with several bug fixes and performance improvements, will be rolling out over the next few days. As always, you can download the app today on Google Play.

    The addition of third-party account support was a major plus for Gmail users who have use more than one email address, whether it be for work for other reasons. Increased security only makes Gmail all the more attractive to users of these Yahoo and Microsoft accounts. Again, that is especially true for those using such accounts for work.

    A little over two months ago, Gmail for Android got another significant update that included some much-needed features, such as the ability to put messages from multiple accounts (including those from Yahoo and Microsoft) together in one inbox.

    A couple weeks ago, Google opened up its new email product Inbox by Gmail to everyone who wants to give it a spin. Given that some of us aren’t huge fans of that, it’s good to see Google is still putting some effort into improving Gmail itself.

    Image via Google

  • Google Discusses Google Drive SDK OAuth Changes

    Google recently added some new options for how OAuth requests are initiated for Google drive Apps. Google has posted a video discussing the changes, and sharing some tips and tricks.

  • Twitter API Version 1.1 Brings More Regulation To Apps

    The Twitter API is everywhere these days. People are Tweeting from all corners of the Web from just about every app. It’s so popular due to its relative openness where people can use the Twitter API in different and interesting ways. Unfortunately, Twitter is putting a stop to that next year.

    Twitter announced that they are moving to version 1.1 of their API. It will be out within the next few weeks, but they want everybody to get ready for the changes now. Those changes include requiring authentication on every API endpoint, a new per-endpoint rate-limiting methodology, and most importantly, changes to the developer guidelines.

    First up is the new requirement for authentication. In the previous version of the API, applications could access information from Twitter without having to use OAuth. It presented a security risk as malicious applications could grab information from Twitter with them being none the wiser. That’s why version 1.1 of the API will require all applications to authenticate every request. For applications that already use OAuth, those tokens will transition over to the new version.

    Next up is rate limiting and it’s once again being implemented to protect the guys at Twitter. Currently, their rate limit is at 350 API calls per hour. They found that this only abused their resources while limiting access to the more popular endpoints. In API 1.1, they will be changing the limit to 60 API calls per hour per endpoint. They’re quick to point out that applications using only one endpoint may be negatively affected, but most applications using multiple endpoints will benefit from the change.

    The biggest change to version 1.1 are the new responsibilities that Twitter puts on developers. Application developers are most angry about a change that makes design recommendations a requirement. Here’s what every developer must now include in their Twitter app:

    We will require all applications that display Tweets to adhere to these. Among them: linking @usernames to the appropriate Twitter profile, displaying appropriate Tweet actions (e.g. Retweet, reply and favorite) and scaling display of Tweets appropriately based on the device. If your application displays Tweets to users, and it doesn’t adhere to our Display Requirements, we reserve the right to revoke your application key.

    The rule is obviously meant to make Twitter look consistent across all platforms and devices. It’s an admirable goal, but it does nothing to help developers. It puts undue stress on them to change their app to something that appeases only Twitter. There are multiple Twitter apps that display Tweets in ways that go against the recommended guidelines, but they’re also more unique for it. Twitter’s new requirement would punish those apps.

    The other two changes are a requirement that pre-installed Twitter applications be certified by Twitter and that developers must work with Twitter directly for large amount of user tokens. Both are meant to protect Twitter’s resources or brand in some way. In a way, it’s a good idea. It helps Twitter consolidate its brand. They just shouldn’t have to step all over developers to get there.

    For now, developers can still keep using version 1.0 of the API. Version 1.1 will be released at some point in the near future. At that time, Twitter will announce the deprecation of version 1.0. Developers will have six months to migrate to version 1.1. People might be able to convince Twitter to stop being such spoil sports during that time.

  • Google: OAuth 2.0 Playground Gets New Features

    Google launched the super handy OAuth 2.0 Playground last december which lets developers play around with the OAuth 2.0 protocol and APIs that use it. Never the one to let good enough stay good, Google has added new features that turn the good into great.

    The list of new features added to OAuth 2.0 playground is extensive and includes many helpful tools for the developers who use it. The first change is adding support for client-side flow in OAuth 2.0. You can do this by changing the configuration from “server-side” to “client-side.”

    There is now support for newer OAuth 2.0 drafts. The support is extended to an authorization header with a Bearer prefix and the access_token URL parameter locations. This change makes playground compatible with most APIs that support OAuth 2.0.

    Using your current access token, you can now display all available API operations. To do this, click on the “Find available Request URIs” button. This should be bring all operations with their associated HTTP methods and URIs.

    Whenever you request an access token in OAuth 2.0 Playground, you are given a finite number of seconds until that access token expires. You can now check a box that will automatically refresh your access token before it expires.

    The responses are fielded to you in an HTTP response. You can click on the links inside it, however, to repopulate the “Request URI” field to set up the next operation.

    All the changes brought to OAuth 2.0 Playground are here to make your time with it easier and quicker. It’s all about optimizing your time and code. These new additions should do that swimmingly.

  • Google Introduces OAuth 2.0 Support

    Google Introduces OAuth 2.0 Support

    Today, Google made available the spec for OAuth 2.0, an update on their original OAuth for Google APIs. OAuth, which debuted in 2007, was described as a “valet key” by Eran Hammer-Lahav. The way a valet key gives only limited access to the driver, OAuth “allows you the User to grant access to your private resources on one site (which is called the Service Provider), to another site (called Consumer, not to be confused with you, the User)…without sharing your identity at all (or its secret parts).”

    The update should allow developers to “do more with less code,” according to Andrew Wansley of the Google Development Team. “In addition to supporting a simplified protocol,” he says, “we’re also introducing a simpler, cleaner consent page for OAuth 2.0.” Which looks like this:

    Wansley, a computer science student at Dartmouth, goes on to say he “hopes the OAuth 2.0 protocol helps developers deliver…powerful applications that make use of user data without compromising on safety or security.”

    Complete Google code Blog entry is here.

  • Twitter Apps Go OAuth Today

    As of today, Twitter apps will all use OAuth for user authentication. Users will be able to use apps without them storing their password.

    "The move to OAuth will mean increased security and a better experience. Applications won’t store your username and password, and if you change your password, applications will continue to work," says Twitter’s Carolyn Penner says, "With OAuth, you still individually approve each application before using it, and you can revoke access at any time."

    "In order for Twitter applications to access your account, developers have been able to choose one of two authentication methods: Basic Authentication or OAuth," says Penner. "Both require your permission, but there is an important difference. With Basic Auth, you provide your usOAuthername and password for the app to access Twitter, and the application has to store and send this information over the Internet each time you use the app. With OAuth, this isn’t the case. Instead, you approve an application to access Twitter, and the application doesn’t store your password."

    A lot of Twitter users are already using apps that use OAuth. Echofon, TweetDeck, Twitterrific, Seesmic, and Twitter for Android, iPhone, and Blackberry already use it.

    Twitter users can go to the "Connections" section under settings and see what all apps they’ve authorized and to revoke access if necessary. If you’re not using the latest versions of any apps, they may stop working because of the change.

  • How Open Web Developers Are Trying to Make Social Media Better for You, the User

    Last week, a new open protocol called OExchange was released with the aim of simplifying sharing. Right out of the door, it had names like Google, Microsoft, and LinkedIn signed on. WebProNews spoke with Google’s Open Web advocate, Chris Messina about how the protocol could benefit businesses and site owners.

    "There are a couple different ways to look at this as a website owner," he told us. "If you already use a sharing service like AddToAny, ShareThis, or AddThis, you might not notice much difference. However, OExchange makes it easier for those service providers to support less well-known sharing services. As such, that means that site owners may see a boost in attention from a wider audience than before."

    He said that "because this may give rise to a long-tail of sharing providers, it’s possible that content will be shared across a wider and more diverse audience than before."

    OExchange is just one of handful of open protocols that are being harnessed to smooth out the social web, and make for a more seamless user experience from site to site. Others include OpenID, OAuth, Webfinger, ActivityStrea.ms, PubsubHubbub, and Salmon.

    Google is playing a large role in the advocacy of of these open protocols. Google Buzz, for example, places a great deal of emphasis on the kind of openness they provide, and the kind of openness that is frankly lacking from the much more popular (at least in terms of user count) "Open" graph of Facebook – by far, the largest social network.

    At Google I/O last month, WebProNews spoke with Joseph Smarr of Google’s technical staff about various open protocols and how they can help websites. He does a pretty good job of putting it into terms the non-techie can probably understand:

    "If you’re a webmaster and you’ve got a new site and you want people to check it out, you want to limit that friction as much as possible, right? You want to make it super easy for people to come and find out about who you are," says Smarr.

    "It’s going to be better for you, and it’s going to be better for you users, who are going to have a much more convenient time," he says.

    Smarr also makes an interesting point about the web in general. "The web started with the right open standards. You know, HTML and HTTP, and then anybody could just stand up a new webserver, and anybody could link to it, and that’s what allowed that incredible innovation to happen. So we basically want to get that same set of building blocks right on the social web…"

    As Messina told us upon the launch of OExchange, "the benefits of any open protocol or technology really only offers dividends when it becomes widely adopted by many providers."

    We also have an interview from Google I/O with Messina we will be posting on our Video Blog before long.

  • Gmail Opens Up To Apps With OAuth Support

    Sharing one’s password is considered a huge security sin; a recent Symantec survey made clear that telling it to even a boss or spouse is verboten.  Gmail users may be glad to hear, then, that Google has figured out a way to encourage the creation of Gmail-related apps without asking everyone to compromise on the password issue.

    A post on the Google Code Blog explained, "[I]t is more secure for the app developer to use the industry standard protocol called OAuth which enables the user to give their consent for specific access without sharing their password.  Most Google APIs support this OAuth standard, and starting today it is also available for the IMAP/SMTP feature of Gmail."

    An outfit called Syphir has already taken advantage of this feature to improve its SmartPush app for the iPhone, and you can view the result below.

    A company known as Kwaga has upgraded its desktop "smart notifier," too.

    So it looks like we’ll see a great many third-party developers make an attempt at improving Gmail thanks to this development.  And Gmail users won’t have to worry about losing their privacy every time they give something new a try.

  • Twellow Gets Twitter OAuth Support

    Our Twellow team has been working hard on getting Twellow set up to use Twitter’s OAuth system, and that support is now available on Twellow.com.

    "The Twellow OAuth upgrade is a major improvement for Twellow users," Twellow’s Lead Developer Matthew Daines says. "Not only is it much more secure, but it also increases the amount of interaction users can have with the Twitter universe from Twellow."

    "With this version of Twellow we’ve added the ability to tweet directly from Twellow, so users don’t need to switch between Twellow and Twitter for simple posting of updates," Daines adds. "In addition there are a few behind-the-scenes improvements in performance that should help as we continue to grow our database of Twitter profiles."

    Twellow - OAuth Support

    Benefits include:

    – OAuth is more secure
    – OAuth provides the same access you are used to
    – You can use a different password for Twellow
    – Twitter access limits are increased with OAuth
    – Tweet directly from Twellow

    Current Twellow users can upgrade their accounts to take advantage by logging in with their Twitter screen name and password, entering a new password to be used with Twellow, clicking the "continue to Twitter" button, making sure they are logged into Twitter under the correct account, and clicking "allow".