Unauthenticated Twitter handle is not safe

rrrene / elixirstatus-web

Community site for Elixir project/blog post/version updates

http://elixirstatus.com

MIT License

281 stars 44 forks source link

Unauthenticated Twitter handle is not safe #48

Closed ashleygwilliams closed 6 years ago

ashleygwilliams commented 7 years ago

hello! i'm filing this here as we use it for rust-lang. (https://herald.community.rs)

the twitter handle is a string, so anything can be put there. this could be used to suggest that someone is the author of a post that they didn't author, which is a way to harass someone. (e.g. write an inappropriate post, or just any post, or number of posts to ping that person on twitter.)

i would recommend that the twitter handle be added via a authentication step only, so that only people with access to an account can have that account mentioned via the automated tweeting process.

for example, i authed with my GitHub account but put my partner's twitter handle: https://twitter.com/RustHerald/status/885590557082439680

since GitHub accounts are free, having to authenticate with GitHub doesn't significantly reduce the harassment vector here :/

rrrene commented 7 years ago

I understand the trade-off this feature means, but it has not been a problem for ElixirStatus.

However: If you want to contribute this as a PR, I would accept it.

skade commented 7 years ago

I find that approach (also showing in the renaming of the title) dangerous. The feature is not a trade-off, it can currently be abused. Just because it currently isn't, doesn't mean it won't.

The hole even gets a bit wider by the fact that if you delete posts on elixirstatus, the attached tweet isn't deleted, making cleanup hard.

I can understand that development is time-consuming and it cannot be fixed in a second, but this is not an "enhancement", this is serious bug.

Nevertheless, I'll see if I can invest some work into this (possibly next weekend), as I stopped promoting the Rust Herald because of this.

Hanspagh commented 7 years ago

I started working on this here https://github.com/Hanspagh/elixirstatus-web/tree/fix-twitter-handle-auth What I did

Made a oauth request to twitter to sign in the current user
If the user provides correct credential, get the user handle and saved it.
UI
Remove the old user update route to avoid setting the handle manually

You will need both a twitter and github test application to try it out

skade commented 7 years ago

@Hanspagh \o/

Hanspagh commented 7 years ago

I wont have much more time to work on this before next week, so fell free to continue if you have the time

rrrene commented 7 years ago

@skade I will gladly accept contributions to this project! Thx :+1: