OAuth is an open protocol that allows people to authorize applications to share data on their behalf with other applications. TripIt uses OAuth to allow its users to securely authorize other applications (like Flight Track Pro or Expens’d) to access their TripIt data via our API. We’re in good company: OAuth is used by some of the most popular services on the Web including Google, MySpace, Yahoo, Netflix, and Twitter.
On Wednesday, the OAuth team issued a security advisory. They have identified a way that an attacker could theoretically use a phishing-like scheme to gain unauthorized access to a user’s personal data via OAuth. To the best of our knowledge, this issue has never been exploited.
We take security very seriously and are working with the OAuth team and our partners to take the necessary steps to mitigate the risk of this exploit. We also wanted to provide a friendly reminder to be careful with your data. An attacker cannot access your data unless you authorize their request, so take care to verify that any such request is coming from a reputable, trustworthy source, and that any link to authorize access to your data is presented in a valid, secure web page (not an email or other type of message). Do not click links in any messages that come from unverified or dubious sources. If you do click a link in a message, and the message is part of a scheme, the party who sent the message could end up with limited access to your TripIt data.
You can check your TripIt account to see a list of the applications that you’ve authorized to access your data. In the unlikely event that you see an app on the list that you don’t remember authorizing, de-authorize it. We recommend checking the list periodically to ensure that only reputable applications you’ve authorized have access to your data.
If you have any questions, please contact us at firstname.lastname@example.org.