SwiftOnSecurityDec 1, 2024

Twitter is a sign-in identity provider too... And revoking access at Twitter or deleting your account does not necessarily break that delegation token...
I trust their security team made this happen. But it's not intrinsic.

If you've ever "Logged in" to a website or app with Twitter, you created an account with a secret Twitter holds on its servers. You don't sign in with your Twitter account. You sign in with an OAUTH token Twitter owns.

Show threadSwiftOnSecurity

This feature was often used for signing up for "Social Media Dashboards." I know because I did it. This mean Twitter may technically have access to EVERY social account on EVERY platform to those who did it. (I never polluted streams, others def did.)

One of the highest importance things in Security is thinking as a Graph not a List. Owning Twitter doesn't get you Twitter. It gets you everything that trusts Twitter.

Article by John Lambert, one of the seniormost Microsoft people who has his hand fighting their greatest battles.
https://medium.com/@johnlatwc/defenders-mindset-319854d10aaa @johnlatw

Defender’s Mindset - John Lambert - Medium

This is a collection of thoughts, quips, and quotes from tweets, blogs, and presentations over the years. If you find them helpful, drop me a note at @JohnLaTwC or on LI. Your network often provides…

Medium
Dec 1, 2024 at 9:28pmWeb
Show threadAzeem Bande-AliDec 1, 2024
@SwiftOnSecurity bro c'mon, this is a bit too fear-mongering-ish. Yea technically Google can access all your google-logged-in accounts too. Hell, since Google controls your email anyways, they can probably log into all of your accounts anyways. But if these identity providers started abusing those identities at scale, then they would be caught and it would be a major legal and PR nightmare for them
Show thread⊥ᵒᵚ Cᵸᵎᶺᵋᶫ∸ᵒᵘ ☑️Dec 1, 2024
@azeemba @SwiftOnSecurity Google isn't run by a single Nazi loving rich man.
Show threadTom BortelsDec 1, 2024

@azeemba @SwiftOnSecurity

It's less about "Twitter turned evil" and more about "Twitter gets compromised".

And your point about google is very correct - Google is also an issue. So is Facebook and Github and anyone else offering that sort of proxy signon.

Your reaction should depend on your security needs. If you are a grandmother sharing knitting tips - you aren't a high value target, so maybe it slides.

If you run an enterprise - well, my recommendation is and was hardware token MFA as a hard requirement, everywhere it can work, plus religious use of a password manager and unique passwords per site/host. I like yubikeys, but there are other viable alternatives in case a yubikey killed your cat or something.

Break that graph.

Show threadAndreas KDec 3, 2024

@tbortels
Single sign on by a third party that you are only loosely related with.

Basically the whole OAUTH process when used like this.

The point is you are outsourcing a key security functionality to a 3rd party.

The problem is now not the relative security.

The problem is that such a service provider almost always becomes a clump risk.
@azeemba @SwiftOnSecurity

Show threadApicultor 🐝Dec 2, 2024

@azeemba Elon doesn't care about PR.

https://www.npr.org/2023/03/20/1164654551/twitter-poop-emoji-elon-musk

@SwiftOnSecurity

Show threadFoxhackDec 2, 2024
@SwiftOnSecurity Ideally those authentication tokens would expire after a certain amount of time, so the service would force a new login, no?