Mashery and the OAuth Advisory

April 22, 2009

A Security Advisory for OAuth 1.0 has been released, addressing a session fixation vulnerability recently discovered in the protocol.

What is the issue?

A session fixation vulnerability was discovered which affects all current OAuth implementations.

What has been done?

Immediately following the discovery of the issue, a committee was assembled with representatives from Yahoo, Google, MySpace, Twitter, Netflix, Yammer, Mashery and others to develop a coordinated response. Over the past 72 hours, we have assessed the seriousness of the issue, developed stop-gap solutions to dramatically minimize possible exploits, and written up a technical explanation of the problem.

What needs to be done?

Over the next week, the OAuth team will rev the OAuth specification to version 1.0a to address the vulnerability. This work needs to happen in the open, therefore a new version of the protocol has not yet been developed. Changes to the spec will be discussed on the public OAuth mailing list.

Once finalized, Mashery will work with our OAuth-enabled customers to migrate to OAuth 1.0a as quickly as possible, including monitoring previously-deployed applications to track who has not yet adopted OAuth 1.0a to facilitate developer outreach efforts.

Information for web application developers

Please be advised that a new version of the OAuth specification will be released shortly, and that it is recommended that you update your implementation to the latest version of the spec when it is available.

OAuth library developers are also likely to update their implementations quickly, so web application developers will most likely only need to update their library dependencies.

Information for API and desktop application developers

If you accept OAuth for desktop and API applications, you should immediately inspect your system logs to ensure that all OAuth requests were securely granted. We also suggest that Request Tokens be expired in a short period of time; if your implementation is not doing that presently, consider reducing Request Token lifetimes to five minutes or less.

Some OAuth providers have added additional language to their authorization screens alerting users to make sure that new OAuth requests came from the expected service or application of origin.