Abusing Twitter API
18 Aug 2014 • seriot.chThe consumer tokens are fundamentally insecure when used within a client application. Additionaly, requesting the consumer keys to be kept secret effectively kills open-source applications.
Twitter asks developers to protect their keys in an environnment where users have complete control over the execution flow and access to full address space, so it’s impossible to prevent keys extraction.
This problem is somehow similar to the DVD / HDMI / HDCP decryption. At some point, the user has to use a machine that will load in memory cryptographic keys that will be use to decrypt the protected content. It’s just a matter of time and motivation until motivated hackers extract the keys and can replicate the decryption process.
My takeaway: OAuth sucks when if you don’t completely control the client environment. Quick strings dump or debugging session can steal both your consumer key and secret. Game over.