Thursday, April 23, 2009

Google OAuth Security Flaw

A security vulnerability in the OAuth protocol was announced last night. This is the mechanism we use to have access tokens granted to us for users' Google calendar and contact data. Google has implemented the recommended warning message on their access request page, which reads:

This website is registered with Google to make authorization requests, but has not been configured to send requests securely.If you grant access but you did not initiate this request at www.nuevasync.com, it may be possible for other users of www.nuevasync.com to access your data. We recommend you deny access unless you are certain that you initiated this request directly with http://www.nuevasync.com/.

I think the message must have been written on the assumption that a fixed OAuth protocol will be introduced in the future (hence the 'has not been configured...' part). Unfortunately right now that doesn't exist so there's no way for us to 'configure' our service appropriately.
So what does this mean for our users? Having analysed the vulnerability, the bottom line is that you need to be sure that if you ever see that Google page where you grant access, that you were yourself performing the access request. That is, you just came from our site and had just clicked on the 'Request account access' button. The nature of the vulnerability is that someone has to trick you into clicking 'grant access' on that page in response to clicking a link on some other page (not on our site). This is exactly what the alert message on the page says, so basically if you read and understand the page, then you're ok.

Update: There's a good description of the problem in this blog post. It turns out that the attack is not so easy to pull off against our service because we take steps to ensure that the Google id stored in your account matches the data accessed by the Google access token. In general the attacker won't know the victim's Google id and therefore the attack will fail.

Thursday, April 16, 2009

Nokia Nirvana

Or at least pretty close. A number of changes were deployed tonight that bring us up to a much higher level of compatibility with the Nokia MfE client. More information about our Nokia support in general can be found here. There's also a new Nokia discussion area on the Nuevasync discussion forum which would be a good place to post any experiences (good or bad!) with Nokia syncing.
We recommend using the latest version of MfE (2.09.158 at the time of writing). This has support for contact picture sync which works both ways (for reasons outside our control, updates to pictures at Google seem to take around 5 minutes to show up. Please wait a while before concluding picture syncing isn't working).
The only Nokia problem that we're aware of at present is that a contact with two mobile phone numbers (or more) at Google will only sync with one of them to the phone. This is because Nokia appear to have not implemented support for the contact field that we normally use for the second mobile phone number ('car phone'). We'll figure out a fix for this problem soon.
Nokia's calendar application has a rather strange approach to all-day events: they are treated as regular events that happen to run from midnight to 11:59pm. This looks like a bug to us, but apparently it's always been like that. It's important to get your time zone setting right because if it is off vs. the Google calendar these all-day events will show up spanning two days, and at weird times. A 'real' all-day event is called a 'memo' in Nokia-speak and if you create one of these on the device it will sync as an all-day event at Google. However if you ever resync, it'll be converted back to one of the strange 'lasts-all-day' events.