Security issue with Twitter backend - state parameter

[TechNickAI]

According to the security issue referenced in omab/django-social-auth#386 - a state parameter should be required to prevent clickjacking of requests.

In the issue, it mentions that it backends with Oauth2 were fixed. I'm getting security reports that the Twitter login (via python social auth) has a security hole because it is missing the state parameter, presumably because Twitter uses Oauth1 instead of Oauth 2.

According to this https://hackerone.com/reports/13555 , the state parameter should still be present even for Oauth1.

Can we add the state parameter to the Twitter backend, or explain why it is omitted?

[omab]

@gorillamania, the state was implemented only on OAuth2 backends because it's part of that spec, not from OAuth1. It's true that you can workaround (and it's done in OAuth2 backends too for those that don't support it), but not all of the providers support that and will mark the auth process as invalid because the redirect URL doesn't match with the one registered.

I will try to make the redirect url state parameter available on OAuth1 backends too, and test that it works with Twitter and enable it by default.

[omab]

@gorillamania, I've made the needed changes to support redirect_state parameter in OAuth1 backends and enabled it by default on Twitter.

[TechNickAI]

@omab thanks for the quick response and the fix. Have a beer on me with @changetip

[changetip]

Hi omab, gorillamania sent you a Bitcoin tip worth a beer (5.932 mBTC/$3.50), and I'm here to deliver it ➔ collect your tip at ChangeTip.com.

Is this real?

[omab]

@gorillamania, thanks fir the tip, I'll grab a very cold one to celebrate.