No, RSA Conference 2016 was not snarfing up attendee Twitter passwords during conference registration process, it insisted on Friday, though it sure did look that way, as tweeted images such as this one show:
Just registered for RSA conference. Saw this after reg. Hoping this is not asking for actual Twitter creds. pic.twitter.com/kNJLm1j03z
— Micah (@WebBreacher) January 7, 2016
The form to register for the February event was asking people to enter their Twitter credentials so that a prefabricated tweet about their attendance could be sent.
A conversation about the apparent login grab had started up on 7 January and escalated to the point where some in the security community were shaming those who entered their credentials.
So on Friday, the conference organizers’ statement clarified that they had used a “Twitter-approved API” to authenticate users – one that did, in fact, use OAuth:
RSA Conference 2016 has not and will not collect or store attendee Twitter password information during its conference registration process. The “Tweet this” functionality on our encrypted registration page uses a Twitter-approved API to authenticate users and allow them to socialize their attendance at RSAC.
Although media has speculated RSAC was not using OAuth, the API does in fact use OAuth to authenticate with Twitter. The only information RSA Conference receives is a response back from Twitter regarding the success or failure of a post.
We do understand the concern caused by asking users to input their Twitter information on our site rather than sending them to Twitter directly. To avoid further concerns, RSA Conference has turned off this API and will not be using it moving forward.
OAuth is an open standard for authorization that’s used for single sign-on (using one account to access many sites) or for giving third parties limited access to things like your Twitter, Facebook or Google account without having to hand over your password.
That enables the third-party sites to do things like tweet on your behalf, without sharing your password.
Nevertheless, shaming ensued, including many who linked to a Twitter search for the text from the canned tweet and thus a list of those who entered their credentials.
At least one commenter referred to the search results as a “Wall of Sheep” and “(aka people who you should not be asking infosec advice from).”
The conference has stopped using its please-connect-to-Twitter form, but not without first scolding the community for the shaming:
Some of you used this feature for its intended purpose – to meet and connect with fellow attendees – and received some negative feedback online for it. Such feedback is regrettable and against the spirit of the RSA Conference.
As the information security community, our collective job should be to help, not embarrass, one another.
As a large industry event, we can take criticism when we make a misstep and welcome that dialogue – but we hope our community will stop faulting the individuals who used a communication offering we provided.
Perhaps the organizers should simply have put a Tweet button on their site and left it at that?
Please share your thoughts in the comments section below.
Anonymous
Could you imagine Black Hat doing the same thing?
Rocas
Actually I could imagine that happening. One just hopes the calibre of those attending is much higher than the majority of those attending RSA.
jilkka
Everyone jumps to shame and flame way too quickly. Especially amongst people who call themselves “professionals” but don’t act like it online.
David
I’m not so sure about the accuracy of RSA’s response. The typical Oauth workflow involves a redirection to Twitter.com’s authentication and this would be the first time I’ve seen that redirection getting hijacked with a third party’s look and feel. I’m not saying it’s not possible. But, if it is (as an option offered by Twitter), you almost never see that option get exercised. As a test, click the Twitter button at the top of this article while your browser is not logged into Twitter. You’ll see the typical redirection.
Rocas
In the past I’ve used this Twitter API, as I’m sure many of those referenced in this article did too. I don’t see any harm in it, in fact websites like OpenMedia & RSA, among other use this. It’s up to Twitter to police their own API’s, and I would consider adding those security researchers to the Wall of Sheep who lack the skill and technical understanding of being able to do some sleuthing to find out what is going on.
To me this hysteria reminds me of Angela the Talking Cat, and points to a pollution in the ranks of security researchers. Too many people are wannabes but don’t have the knowledge, skillset or motivation to actually do the grunt work required to be a bona fide researcher.
Alan G
Could the attendee tell where the credentials were going? I saw one of the screenshots but it didn’t have the whole browser, so it was hard to tell how phishy it was.
If the user can’t tell what is happening with the credentials (and it’s hard to think of a good way to do that), that is an utterly useless feature. No way would I enter my credentials, nor would I ask my users to enter theirs.
Mark Stockley
You’d have to look at the form element’s action attribute (view source). It’s not difficult but if you find yourself having to do it to make sense of things sack the UX designer.