In a simplified sense, the redirect nullifies a pernicious class of attack where the source IP address is forged. A redirect cannot be followed with a false source address. The attacks that remain are those where the source IP address is valid. You can then imagine other techniques that than can be applied against valid IP addresses. And so the problem is divided and ameliorated, but never fully solved.
I'm going to push back for a second with some food for thought for developers: The API is via HTTP. HTTP is a well defined protocol. 302 redirects are a valid and well worn part of the HTTP protocol. Consider why applications are not built using fully HTTP compliant libraries. This doesn't address all the problems that we're all having, but it does address some. -John Kalucki http://twitter.com/jkalucki Services, Twitter Inc. On Aug 8, 8:53 am, Kyle Mulka <repalvigla...@yahoo.com> wrote: > An attacker can just as easily follow a 302 as can a legitimate API > developer or user of Twitter. I don't understand why Twitter thinks > this is a solution to the problem. Please stop 302ing. > > Thanks, > > -- > Kyle Mulkahttp://twilk.com
