NOTE: THIS UPDATE ONLY CONCERNS THE FELLOWSHIP ONE RESTFUL API BETA OAUTH IMPLEMENTATIONYesterday a
minor security threat was discovered in the
OAuth protocol.
The OAuth community is aggressively working on the issue and have released an
advisory update on this on 4.23.2009 at 12:00 am PST. We have been in contact with them on the details of this issue. After a close look at the threat and considering the risks involved, we have determined that we will not suspend the use of OAuth in our API. Instead, we will immediately implement additional mechanisms to further protect against potential attack:
- Shorten the request token life time
- Require any 3rd Party application to have a registered callback
- Require additional warnings and details on the token authorization pages to clearly explain the intent of the Consumer application
We take all security-related issues seriously. Although the REST API
OAuth implementation is only available in a beta environment right now,
we want to take mitigating actions.These changes to our OAuth Service Provider implementation will be deployed soon.
We purposely chose OAuth as our primary authentication mechanism because of the security and iron-clad structure it provides. We are even more encouraged by our choice in light of the quick response and reaction from the OAuth community. Since there are thousands of developers and applications behind this protocol, there are thousands of people behind our implementation.
We would like to thank Chris Messina, Eran Hammer-Lahav, and the rest of the OAuth community for being so transparent and quick to respond and collaborate to solve this issue.
Please do not hesitate to contact us directly with any concerns or questions that you may have: api [at] fellowshiptech.com
More information: see OAuth advisories updates
Nick Floyd
Integration Architect