Solving a Twitter OAuth and Incorrect Signatures Mystery

1259144934000 » Tagged as: security , twitter

If you see a Twitter or Facebook app that asks for your username and password you should run a mile. Admittedly OAuth is not anymore secure than CHAP authentication but there is a crucial difference; most people use the same username/password (or at least the same password ) on multiple websites, email addresses, memory cards and what have you. By necessity when a web app saves your password for Twitter or Facebook or any other site, it has to be encrypted with a symmetric key, which means the plain text version can be easily obtained.

Users don't need any special effort for Oauth but developers do. Writing an application that uses OAuth instead of passwords is supposed to take just a wee bit more effort, (but all seasoned programmers know what exactly that means).

One of the issues we ran into was caused by Twitter returning an 'Incorrect signature' error for List Delete member api calls. The signature was being generated using the TwitterOauthLib. The signature was correct. It worked fine for all other methods excepts for DELETE calls. If you passed in the same parameters to a different Oauth library, you would get the exact same signature so are we seeing a bug in the twitter API?  You might also suspect that this is because the underlying HTTP client library didn't support the DELETE HTTP method. In this case it's curl and the DELETE method is supported. Nevertheless I tried using an HTTP POST while sending the _method=DELETE parameter as suggested by the Twitter API documentation with out any luck.

On further investigation I found that all the parameters were being posted for both DELETE and POST requests. RFC 2616 doesn't specify how you should pass parameters (request body or query string) for DELETE requests. I decided to change the TwitterOauth code to include the parameters as query strings (get the patch). Sure enough twitter accepted the request without the incorrect signature error.  The modified code now looks like this:

comments powered by Disqus