Twitter's secret auth keys exposed, allows for token circumvention

The authentication keys that Twitter uses in their official apps have been exposed, allowing third-party developers to spoof the official apps to circumvent any token restrictions. The keys, posted on github, have been listed for a number of official applications, including the clients for iPhone, Android, iPad, Mac and Windows Phone, as well as the Twitter-owned Tweetdeck.

These keys are used within the official apps so that the clients not only avoid the 100,000 token limit imposed by Twitter on third-party developers, but also avoid the authorization page. Theoretically any developer can use these keys to spoof their app as one of the official Twitter-made apps, and they will not have to follow any third-party restrictions as Twitter will only see these clients as official.

Some users on github are reporting that the keys are indeed legitimate, after creating proof-of-concept applications that utilize the keys. It's unclear at this stage what Twitter can do to stop developers from spoofing first-party applications, aside from banning the exposed keys, which would require updates to all official applications and render current versions useless.

It'll be interesting to see if any applications will use these revealed keys to allow more users outside the token restrictions, especially developers that have recently hit the token limit such as Joaquim Vergès of Falcon Pro. The use of these keys in any sort of large app would definitely start yet another war between developers and Twitter; one which could end up hurting users more than anyone.

Report a problem with article
Previous Story

Microsoft patent fight with Google could ban Google Maps in Germany

Next Story

AMD shows cool PC case mods, including a rocket launcher, at SXSW

15 Comments

Commenting is disabled on this article.

I don't think it's stupid. This way, Twitter can revoke access to a malicious app directly by blacklisting the key.

It's just another layer of protection, but it can also by abused by Twitter if they want (it's their system after all)..

Now they'll have the hassle of telling everyone to update their twitter clients because otherwise they won't work once the keys are replaced. Sigh.

For commonly used official apps (like Android and iOS), it will not take long to submit a new version using new keys. However, it might be a pain for less used official Twitter apps, like on Samsung Smart-TVs. The updates aren't quick on those systems.

Time to blacklist the keys and move on then? What else can they really do?

BTW - That's a real question, I don't know the answer!

What developer that exceeds the 100k token limit is really going to risk doing this? You will get a cease letter in the mail from Twitter with a lawuit followup if you don't get your s*** in order. Then you will get your developer token revoked permanently and banned from ever using Twitter's sdk or developer api. I'm sure Twitter wont have a problem contacting each of the app stores and having your app removed for violation of their terms and access Twitter content without permission.

This is pretty meaningless and only useful for small time developers, and those wont hit the 100k limit anyway.

pgn said,
What developer that exceeds the 100k token limit is really going to risk doing this? You will get a cease letter in the mail from Twitter with a lawuit followup if you don't get your s*** in order. Then you will get your developer token revoked permanently and banned from ever using Twitter's sdk or developer api. I'm sure Twitter wont have a problem contacting each of the app stores and having your app removed for violation of their terms and access Twitter content without permission.

This is pretty meaningless and only useful for small time developers, and those wont hit the 100k limit anyway.

Theoretically any developer can use these keys to spoof their app as one of the official Twitter-made apps.

paul0544 said,

Theoretically any developer can use these keys to spoof their app as one of the official Twitter-made apps.

Yeah, but what for?

As pgn mentioned, there's only two points to those keys: bypassing the authorization screen, which is indeed nice but it occurs only once in the application's lifetime, and removing the 100k limit which is unthinkable for legal reasons.

KooKiz said,

Yeah, but what for?

As pgn mentioned, there's only two points to those keys: bypassing the authorization screen, which is indeed nice but it occurs only once in the application's lifetime, and removing the 100k limit which is unthinkable for legal reasons.


Legal reasons, and what legal reasons are they? The keys were reverse engineered, pretty sure that's legal.

KooKiz said,

removing the 100k limit which is unthinkable for legal reasons.

There is nothing illegal about reverse engineering these keys, there is also nothing illegal about using them to bypass the 100k limit, Twitters Terms & Conditions are not law.

If Twitter don't like it they can black list the keys and that is about all, not all countries give a toss about these kind of things.

They'll do what anyone would do and update the keys so they don't work anymore. It's not like they're going to throw their hands up, shout "OH WELL, WOOPS", and drop the whole policy altogether. To think otherwise would be naive to an adorably childish extreme.

Joshie said,
They'll do what anyone would do and update the keys so they don't work anymore. It's not like they're going to throw their hands up, shout "OH WELL, WOOPS", and drop the whole policy altogether. To think otherwise would be naive to an adorably childish extreme.

They probably won't do anything. Extracting the new keys from the updated app is just a matter of minutes so that will be a waste of time for them (and an hassle for users), and they won't remove the whole policy just because of that.