No, RSA Conference 2016 was not snarfing up attendee Twitter passwords during conference registration process, it insisted on Friday, though it sure did look that way, as tweeted images such as this one show:
Just registered for RSA conference. Saw this after reg. Hoping this is not asking for actual Twitter creds. pic.twitter.com/kNJLm1j03z
— Micah (@WebBreacher) January 7, 2016
The form to register for the February event was asking people to enter their Twitter credentials so that a prefabricated tweet about their attendance could be sent.
A conversation about the apparent login grab had started up on 7 January and escalated to the point where some in the security community were shaming those who entered their credentials.
So on Friday, the conference organizers’ statement clarified that they had used a “Twitter-approved API” to authenticate users – one that did, in fact, use OAuth:
RSA Conference 2016 has not and will not collect or store attendee Twitter password information during its conference registration process. The “Tweet this” functionality on our encrypted registration page uses a Twitter-approved API to authenticate users and allow them to socialize their attendance at RSAC.
Although media has speculated RSAC was not using OAuth, the API does in fact use OAuth to authenticate with Twitter. The only information RSA Conference receives is a response back from Twitter regarding the success or failure of a post.
We do understand the concern caused by asking users to input their Twitter information on our site rather than sending them to Twitter directly. To avoid further concerns, RSA Conference has turned off this API and will not be using it moving forward.
OAuth is an open standard for authorization that’s used for single sign-on (using one account to access many sites) or for giving third parties limited access to things like your Twitter, Facebook or Google account without having to hand over your password.
That enables the third-party sites to do things like tweet on your behalf, without sharing your password.
Nevertheless, shaming ensued, including many who linked to a Twitter search for the text from the canned tweet and thus a list of those who entered their credentials.
At least one commenter referred to the search results as a “Wall of Sheep” and “(aka people who you should not be asking infosec advice from).”
The conference has stopped using its please-connect-to-Twitter form, but not without first scolding the community for the shaming:
Some of you used this feature for its intended purpose – to meet and connect with fellow attendees – and received some negative feedback online for it. Such feedback is regrettable and against the spirit of the RSA Conference.
As the information security community, our collective job should be to help, not embarrass, one another.
As a large industry event, we can take criticism when we make a misstep and welcome that dialogue – but we hope our community will stop faulting the individuals who used a communication offering we provided.
Perhaps the organizers should simply have put a Tweet button on their site and left it at that?
Please share your thoughts in the comments section below.