I still didnt get this
Just to make my question clear
How are you going to obtain tokens for *other *users using the application
itself?
The worst you can do is use the key/secrets to trap *new *users by building
a brand new app
(with the stolen consumer key/secrets. And new clients have to trust this
app before downloading)
I am just trying to understand why this approach(of getting consumer
secrets/tokens from  a server which changes the values periodically)is worse
than storing the keys at the client itself.

<<If the app contains code to authorize new accounts and all the copies
of the app use the same secret key then Twitter will not be able to
tell the difference between a legitimate token request and a spoofed
request>>

Agreed on this part.

<<Send out enough requests and eventually a user will approve
your token giving you complete access to their account>>

This is not clear. Sending what kind of requests? User will only approve the
requests coming directly from twitter . But before that twitter will verify
the app credentials (which will pass as they are stoled ones). But the user
will have to trust this app even before he starts using (by downloading that
app he shows some level of trust).

Just need clarification on this statement
"You don't even have to intercept the key, just
  use the *application itself  *to obtain tokens for other users' accounts"


On Tue, Aug 18, 2009 at 3:08 AM, Chris Babcock <cbabc...@kolonelpanic.org>wrote:

>
> On Tue, 18 Aug 2009 02:52:24 +0530
> srikanth reddy <srikanth.yara...@gmail.com> wrote:
>
> > <<
> > It's worse than that. You don't even have to intercept the key, just
> > use the application itself to obtain tokens for other users' accounts.
> > How are they going to tell the difference between their copy of TweetX
> > and someone elses' in their auth dialogs?>>
> >
> > Sorry. I didn't get this. How are you going to obtain tokens for
> > *other * users?
>
> It's a social engineering attack.
>
> If the app contains code to authorize new accounts and all the copies
> of the app use the same secret key then Twitter will not be able to
> tell the difference between a legitimate token request and a spoofed
> request. Send out enough requests and eventually a user will approve
> your token giving you complete access to their account.
>
> Chris Babcock
>
>
>

Reply via email to