The SocialToo Blog

July 22, 2009

May 2, 2009

Launching Our First Efforts at OAuth Integration

Filed under: Announcements — Tags: , , , , — Jesse Stay @ 11:34 am

OAuthDid you forget your password? In an attempt to test Twitter’s OAuth integration, we’ve made a very small move forward to integrate OAuth into SocialToo’s infrastructure. Starting today, those that forget their passwords can simply click a “login to Twitter” button, which will send the user to Twitter.com to log in and approve SocialToo. The user will then be redirected back to SocialToo where they can reset their password if their login was successful. We never see your Twitter password, and your data remains secure. Go to http://socialtoo.com/forgot to give it a try.

For those unaware, OAuth is a standard used by many sites like Google, Yahoo, and now Twitter to enable sites that need your information to not have to store your private usernames and passwords anywhere. In addition, it allows sites like Google, Yahoo, and Twitter to immediately turn off applications which might be misusing your data, making for a much more secure system.

We’re currently only testing this with our Forgot password form because Twitter has openly admitted there are still many flaws and the software is still in beta on their end. Once they’ve confirmed it’s stable enough for production code we will begin rolling this out throughout all of SocialToo, continuing our pledge to your security and privacy.

With this role out, we are now able to begin testing and preparing for a full OAuth launch on SocialToo. In addition, we will be able to give back to the community, as the Perl support for OAuth Twitter examples is fairly lacking at the moment. Since we’ve figured this out, expect some howtos for Perl developers, as well as, as I have time, perhaps some libraries other Perl developers can use to connect to Twitter via OAuth. Because of the technical nature I’ll be posting those over on my blog when they are ready.

This one small step is a large step for SocialToo, enabling us to prepare for something much bigger and larger down the road. We’re excited for the ability to put the control back in your hands again so we don’t have to store your passwords any more. As always, stay tuned here and we’ll update you on when that happens. Also, since this is beta please let us know via our @socialtoo account on Twitter if you see any problems.

January 9, 2009

SocialToo.com Values Your Security!

Filed under: Security — Tags: , , , , , , — Jesse Stay @ 4:26 pm

One of the most frequent questions we’ve had recently is regarding the security of SocialToo, and if you store your password with us, will it remain secure?  As you may already know, various phishing attacks have made their way around Twitter recently, and have put the issue of password security, in particularly around third-party apps, at the top of everyone’s minds.  As always, we continue to recommend you be careful who you share your password with, always check the URL of the site you are entering your password on, and change your passwords frequently.  Another good rule of thumb is to not use the same password on less-secure websites like Twitter as you would on a more secure website such as your bank.

While Twitter has not pointed the finger at any third party apps for these phishing attacks and hacks, they have made known that the issue is specifically related to a hosting provider that we at SocialToo.com are not using (We use Amazon EC2 services for all our servers).  Regardless, we do take your security seriously.  Here are some of the things we are doing to ensure you are in the most secure environment possible:

Frequent Database Reviews

At SocialToo, we review your data frequently, while maintaining your anonymity.  We are doing our best to monitor various worm and hacker threats, and search frequently to ensure that your accounts have not been compromised.  We are also keeping an open dialogue with Twitter.  Were Twitter ever to catch something we had missed and notify us, we would correct the issue, immediately.  As of this moment, not a single account on SocialToo has been compromised, and it would be quite hard to do so.  We ask for a separate username and password beyond your Twitter username and password (or other social network) just to protect you from that.  This way, were your Twitter account to be compromised, your SocialToo.com account could not also be compromised.

Vocal Advocates of Secure Authorization Technologies

For those that know me personally, you may have read some of my blog posts recently on the subject.  I still argue that Twitter’s acceptance of OAuth would have stopped the phishing attacks seen recently.  While I agree it won’t stop all phishing attacks, it would prevent apps such as SocialToo.com from being the cause of such attacks.  We are one of the most vocal advocates on the Twitter developer mailing lists and elsewhere, and will continue to be a supporter of this, and other secure technologies.  Twitter’s requiring developers to collect plain-text usernames and passwords is unacceptable in our minds, and the minute Twitter changes this, we will convert immediately so your data remains secure.

Continued Monitoring of Customer Complaints

Another thing that sets us apart from other services is we monitor your complaints and suggestions, religiously.  It doesn’t matter if you address us or not, we are tracking mentions of our name, so if anyone mentions we could be the cause of such a phishing attack, we monitor each and every one of those complaints.  To this date, every one of those complaints has been unfounded.  We believe in personal service here, and my hope is that we can continue that personalized service as long as we are capable. If someone suggests we’re the cause of a phishing attack, or hacking attack and you question that, please do not hesitate to contact me personally at jesse@socialtoo.com.

Vocal Advocates of Source Detection Technologies

Another cause we are fighting for at SocialToo is to have Twitter enable clients to provide their source with DMs they send on behalf of users.  Ideally, when OAuth is implemented, this should be a required feature, but for now we’ll accept optional.  While we realize this will not stop Phishing, it will enable us to ensure you know which DMs are coming from our service (we will send it with 100% of the DMs we send on behalf of our users), and if anyone spoofs our name, or compromises our users accounts, we can know immediately.  It will also give you, the user a little more information regarding where DMs you receive come from.  If you think this is a good idea, would you please @reply @ev, @biz, and/or @al3x at Twitter and let them know you would like to see this?  Tag it #dmsource so we can track it. We will be creating a bug for this shortly and you can star that when it is ready to show your support as well.

As you can see, we’re doing all we can to ensure your data is secure.  I’m confident it will remain so, and you can feel confident in that.  It’s a shame that we as app developers have to defend this stance, but I am confident Twitter and other social websites will do the right thing by implementing secure auth standards in the near future.  When they do, we’ll be right there along with them.

(BTW, I’m creating a new category for this for Security – I’m sure this won’t be our last post about security!)

Image Credit: Miles Cox

Powered by WordPress