Why access and API tokens are the new passwords but worse
Access tokens for APIs are like passwords except worse. Let me tell you why. When you give me OAUTH2 permission to check your timeline, your e-mail, the pictures of your small adorable yet smelly baby I have that access to that for quite some time.
You can change your password but this won’t revoke my token. Until you EXPLICITLY revoke my token (if your OAUTH provider even allows this) and if you can find this button. And guess what. You won’t, because you’re an average user and an access token sounds more like an entry to a VIP club to you, “So better keep that”.
So since I own your precious tokens, you’re at risk. When someone hacks the site, the attacker can use my (read: your) access tokens to read all your data. Not so cool now, huh.
On top of that, passwords are at least hashed in the database and salted. And most frameworks promote this good behavior nowadays and have extensive documentation on how to do this. But for API tokens we’re outta luck. We need them in their current plaint-text form to communicate with the API’s so all we can do is encrypt them at rest and decrypt them when necessary. Alas for many this practice is not widely communicated nor documented.
Once the token has been given away to the consuming site, the consuming site has now the responsibility of keeping that token safe. The provider can’t force the consumer to enforce best practices on the storing of the tokens. It’s now the consuming site’s responsibility to enforce the users privacy and data at all cost.
Furthermore the reach (scope) of the token is also often too broad. Even when I need only specific part of your data (IE your monkey’s email address) it often gives me much more broad scopes allowing me to do a lot more with my token then I really want (set monkeys free, fetch all bananas). This is annoying for me too as a consuming site because i now hold tokens with a lot of power.
Yes tokens can expire but not every provider enforces this.
So here we are explaining why you as a dev should start encrypting and securing these bad boys right now. For the safety of all babies out there.
In my next post I’ll start telling how I do that :)