Twitter's secret auth keys exposed, allows for token circumvention

The authentication keys that Twitter uses in their official apps have been exposed, allowing third-party developers to spoof the official apps to circumvent any token restrictions. The keys, posted on github, have been listed for a number of official applications, including the clients for iPhone, Android, iPad, Mac and Windows Phone, as well as the Twitter-owned Tweetdeck.

These keys are used within the official apps so that the clients not only avoid the 100,000 token limit imposed by Twitter on third-party developers, but also avoid the authorization page. Theoretically any developer can use these keys to spoof their app as one of the official Twitter-made apps, and they will not have to follow any third-party restrictions as Twitter will only see these clients as official.

Some users on github are reporting that the keys are indeed legitimate, after creating proof-of-concept applications that utilize the keys. It's unclear at this stage what Twitter can do to stop developers from spoofing first-party applications, aside from banning the exposed keys, which would require updates to all official applications and render current versions useless.

It'll be interesting to see if any applications will use these revealed keys to allow more users outside the token restrictions, especially developers that have recently hit the token limit such as Joaquim Vergès of Falcon Pro. The use of these keys in any sort of large app would definitely start yet another war between developers and Twitter; one which could end up hurting users more than anyone.

Report a problem with article
Previous Story

Microsoft patent fight with Google could ban Google Maps in Germany

Next Story

AMD shows cool PC case mods, including a rocket launcher, at SXSW

15 Comments - Add comment