On Thursday, security experts on Twitter noticed something odd about the final registration page on the RSA Conference website, a promotional social media offering was collecting usernames and passwords and sending them to the conference server.
Just registered for RSA conference. Saw this after reg. Hoping this is not asking for actual Twitter creds. pic.twitter.com/kNJLm1j03z- Micah (@WebBreacher) January 7, 2016
The conversation started on January 7, when one security professional made a simple observation after registering for this year's RSA Conference. At the end of the registration process, there is a form allowing a participant to send a message via Twitter to their followers.
The message is simple promotion: "I'm going to #RSAC 2016 in San Fran! Who wants to come with me?"
However, when the conference participant enters their Twitter username and password into the form to send the promotional tweet, their credentials are recorded. Another security professional tested the form and confirmed the registration website was indeed collecting credentials.
On Twitter, you can search and locate a number of accounts that shared the exact message the form was promoting, but it isn't clear if the accounts listed have had their credentials exposed; but that's likely the case.
Salted Hash has reached out to the RSA Conference for an explanation; we'll update this story when they respond.
In the meantime, if you're planning to attend the RSA Conference this year, skip the promotional opportunity towards the end of the registration process. Or... wait until the conference implements OAuth.
RSA Conference organizers have responded to a request for comments, issuing a denial that credentials were collected. They also claim OAuth was used, and state that going forward, the Twitter form will be disabled.
"RSA Conference 2016 has not and will not collect or store attendee Twitter password information during its conference registration process. The “Tweet this” functionality on our encrypted registration page uses a Twitter-approved API to authenticate users and allow them to socialize their attendance at RSAC.
"Although media has speculated RSAC was not using OAuth, the API does in fact use OAuth to authenticate with Twitter. The only information RSA Conference receives is a response back from Twitter regarding the success or failure of a post.
"We do understand the concern caused by asking users to input their Twitter information on our site rather than sending them to Twitter directly. To avoid further concerns, RSA Conference has turned off this API and will not be using it moving forward."
After their statement was sent out to media, the RSA Conference also published a blog post repeating much of the same, but with some additional scolding aimed towards the security community.
"As the information security community, our collective job should be to help, not embarrass, one another. A core element of the RSA Conference is education. Not everyone who attends is a CSO or CISO. Some want to better educate themselves or have found themselves in an IT position that incorporates security as part of their day-to-day management.
"As a large industry event, we can take criticism when we make a misstep and welcome that dialogue – but we hope our community will stop faulting the individuals who used a communication offering we provided."
However, experts who have seen the explanation offered by RSA Conference disagree with it. One expert pointed out that Twitter has an OAuth flow called xAuth, which requires Twitter approval before it can be used.
However, another person familiar with OAuth pointed out that xAuth is only for desktop and mobile apps. Either way, if xAuth was the flow used, that doesn't make much sense to those commenting on the issue.
Another expert, Jim Manico, shared his thoughts with Salted Hash shortly after the RSA Conference statement was published:
"Twitter's OAuth API has a multitude of authentication and authorization options. This includes collecting credentials like RSA did, and while easy to use, it's rather insecure since RSA's servers will likely be logging or collecting these credentials whether they mean to or not. It also raises suspicions, like we see from the many folks who are complaining about this design.
"Another option was to use the OAuth 1 standard workflow that Twitter supports. This would allow the RSA and Twitter server to form a relationship that allows RSA to tweet on behalf of Twitter users - if they give RSA permission - without exposing credentials of the users in any way. This is more challenging to implement, but it's a great deal more secure and is the primary purpose of OAuth in the first place.
"As one of the worlds largest security companies advertising for a security conference, I would have hoped that RSA would have taken the more robust, secure and privacy-respecting route."