> On Aug 19, 10:26 am, Andriy Ivanov <tigrus...@gmail.com> wrote:
> > I've written Desktop app that usesoAuthto communicate with twitter.
> > All the keys/tokens/pin I save in Settings file in my project
> > (.NET). Is it safe to do so or what is the better approach to save
> > this kind of data? What if all the tokens get in hand of "evil",
> > they can impersonate the user using the tokens, right? Why won't
> > tokens expire with Twitter? I am knew to internet protocols, so any
> > help would be appreciated. Thanks!

> There was some discussion of this at
> http://groups.google.com/group/twitter-development-talk/browse_thread/thread/972b23136fdf9ed8/80d6e999d9dedced?hl=en
> An attacker who knows your consumer key and consumer secret can create
> an application that imitates yours. But they can't impersonate a user
> unless they have that user's access token and token secret.
Right, that takes a social engineering exploit to complete. After
obtaining the consumer's keys, the malicious user needs to employ it to
impersonate your application so that he can trick your legitimate user
into authorizing a new token to replace the existing one.

OAuth is written with the implicit understanding that the consumer
application lives on a server. In the absence of some scheme for bulk
key assignments, distributing your key and secret with the application
is the only alternative to running all traffic for your app through
your own server.


Reply via email to