Hi Tom, what do you mean by account info? The Arlo password? If so, OAuth authentications are tokens that don't take into consideration your username/password combination, so that wouldn't block the services from still being allowed to connect.

If there's now way, it would be a terribly security oversight, as we need to see a list of all the services connected to our accounts and be able to revoke them access at will.

Yes, but doesn't the client sw have your info when registered ?... as the token does not

I'm not sure I'm understanding you... do you mean the client software? IFTTT (for example)?

It connects to Arlo based on the OAuth token that IFTTT saves when I confirm the access and Arlo/Netgear has a list of approved services that can access them on their servers. What we need, is a screen to be able to see those approved services and revoke them access.

Changing the user/password/etc in any of the services (Arlo, Netgear, IFTTT, etc.) wouldn't do anything and the connection would still be allowed.

Here's a nice example of a security theat. I somehow hack into your IFTTT account and get access to it. I can then create rules to know when you are in the house (motion detection), how many cameras do you have and where they are located (based on their name), I can profile you and get to learn your schedule after studying it for a couple of weeks (i.e. knowing when motion is detected every day and at what times [leaving for work in the morning? house is empty?] and predict a pattern of your behaviors and when you might be out of your house) and also know when your batteries are running low (so I then I can get in and steal the heck out of it!) The best part: you don't have any way to stop me from keep doing that (except deleting your Arlo account, but for that, you'd have to know that I've gain access to your IFTTT account)

If that scared you, then that's why we need to have a screen to revoke access to connected apps, as it's pretty much mandatory in any OAuth implementation (Google, Microsoft, Dropbox, Facebook; whichever service that use them, has them).

If we don't have that, maybe it's a nice time to escalate this. Maybe @JamesC can chime in here?

Thanks again

Assuming Netgear's auth is done correctly once you change your arlo account password the token used by IFTTT (or any other party which has your token) will no longer be valid, it will require re-authentication (with username/password) so that it can get a fresh one.

It's not part of the OAuth specs to determine if they should revoke the tokens on a password change. It depends of the implementation, as the tokens should be able to be individually revoked at will (imagine having to reauthenticate dozens of services on every password change).

Google for example, just during the end of last year started implementing the revoke of the tokens on a password reset (http://www.securityweek.com/google-revoke-oauth-20-tokens-upon-password-reset), as an additional securiy measure to their already "Connected Apps" interface, where you can see who is accessing your account and revoking them.

As of now, we don't know what Netgear is doing, how they implemented it and what are they doing to protect us.

I'd love to test it, but as I posted when I bought and set up the kit, IFTTT never works for me. It doesn't get triggered and always writes an error to its log instead.

IFTTT Arlo isn't Working - Returns "Error" All the... - NETGEAR Communities

Thanks for your comment islandboy. Hopefully, @JamesC from Netgear can comment on this.

Thanks for your workaround islandboy. I knew about that; I actually did that several times in order to troubleshoot why IFTTT doesn't work, but as you also said, that's not optimum and we need to revoke at the source. Imagine the case of having your IFTTT account stolen and someone snooping around with your cameras...

I agree Timmy!  Hopefully Netgear support will have a better answer for me soon.

On a side note...My previous post disappeared..?

Adding back my previous post for reference in case it helps anyone else...since it disappeared for some reason.

IFTTT allows disconnecting services from the Services settings.

From IFTTT FAQ: 

How do I change the account associated with a service?

Go to the service page you’d like to change.

• Select Settings.

• Select Edit connection.

• Enter the login credentials for the account you want to use.

I accomplished this by logging into my IFTTT account, click on Services-->Arlo-->Settings which will bring you to this page, which has "Disconnect Arlo" at the bottom:

This isn't the best solution as revoking access from the source (Netgear) would ensure that the token is revoked, but this is better than noting at this point.

Yeah, your previous post dissapeared! Guess they couldn't handle the reality! 

@JamesC, can you comment something on this security issue?

Thanks.

Well, how great that when you search "OAUTH Netgear" in Google, this thread is the first result that shows up, exposing the security issue that we have unaddressed here...

Timmy256,

I have escalated this topic. I will post an update when I have more information.

JamesC

Thanks for your reply @JamesC, hopefully you guys can fix this security issue with an UI to revoke access to third party apps.

Hi @JamesC, do you have any update on this issue so far?

Thanks.

Timmy256,

I've requested an update on this issue. I will post again when I have more information.

JamesC

Hi @JamesC, any updates on this? It's been opened for too long and it's really starting to worry me. If you Google "netgear oauth security", it's the first result to show up, so I'm sure people would be interesting in knowing that you fix this vulnerability.

If it's not possible for you to update us here, could you please create a case for someone for support to contact me? I just want to deauthorize IFTTT access to my Arlo account, which has an already authorized token (which I can't see nor revoke, because the issue is that you don't have an UI to manage that)

Thanks.

Ive requested an update. I will post with more information as soon as I can.]

JamesC

HI @JamesC, it's been more than two months since your last reply. Any updated on this subject? How can I deauthorize the token to stop a rogue; not owned by me anymore IFTTT account, from accessing my Arlo account in which it was previously authorized?

If you can't help me, can you please point me in the direction or create a proper customer support case for this issue?

Thanks again for your help addressing this security issue.

Timmy256,

A back end release was deployed very recently that I believe addresses this issue (currently checking with engineering). If you change your Arlo password, does IFTTT still remain linked?

JamesC