Abusing Twitter API

18 Aug 2014 • seriot.ch

The consumer tokens are fundamentally insecure when used within a client application. Additionaly, requesting the consumer keys to be kept secret effectively kills open-source applications.

Twitter asks developers to protect their keys in an environnment where users have complete control over the execution flow and access to full address space, so it’s impossible to prevent keys extraction.

This problem is somehow similar to the DVD / HDMI / HDCP decryption. At some point, the user has to use a machine that will load in memory cryptographic keys that will be use to decrypt the protected content. It’s just a matter of time and motivation until motivated hackers extract the keys and can replicate the decryption process.

My takeaway: OAuth sucks when if you don’t completely control the client environment. Quick strings dump or debugging session can steal both your consumer key and secret. Game over.

Running Blind

Abusing Twitter API

Related Posts

Cold Weather as proof against Global Warming 30 Jan 2019

Samsung Space Monitor Optimizes Desk Space With Minimalist Design 28 Jan 2019

Using a newer Ruby with Alfred Workflows (rbenv) 28 Jan 2019