On Tue, 18 Aug 2009 02:52:24 +0530
srikanth reddy <srikanth.yara...@gmail.com> wrote:

> <<
> It's worse than that. You don't even have to intercept the key, just
> use the application itself to obtain tokens for other users' accounts.
> How are they going to tell the difference between their copy of TweetX
> and someone elses' in their auth dialogs?>>
> 
> Sorry. I didn't get this. How are you going to obtain tokens for
> *other * users?

It's a social engineering attack.

If the app contains code to authorize new accounts and all the copies
of the app use the same secret key then Twitter will not be able to
tell the difference between a legitimate token request and a spoofed
request. Send out enough requests and eventually a user will approve
your token giving you complete access to their account.

Chris Babcock


Reply via email to