(2009-04-25) Oauth Security Response

Marshall Kirkpatrick on how the OAuth attack was handled by the community. Twitter shut down the OAuth option for login within 30 seconds of his phone call, Hammer-Lahav says. They did it without explanation, because they were asked to keep quiet about the security problem for one week - in order for all the providers to get a chance to respond before the security problem went public and could be exploited... Within 12 hours the group discussing the problem knew there was no simple solution - it could require changes by OAuth providers and outside applications that consume OAuth permission in order for everything working again. The group of OAuth providers formed an email list to discuss the problem and fifty people from 30 companies joined in.