It would be less work for me to run charles proxy and see catch the consumer
key/secret in transit then to decompile it and figure out where in the code
it is actually stored when distributed with the app.

Previously with basicauth you could use anybodies source param and spoof
their application. At least with OAuth you have to acquire their consumer
key/secret first.

You guys are all freaking out about this when this is how the internet
works. Just look at email. With a single line of PHP I can send any of you
an email from any email address.*

Abraham

*There technologies to stop this but very few mail servers use them.
Currently Gmail refuses email from paypal.com unless it is signed by their
key.

On Mon, Jan 18, 2010 at 15:35, M. Edward (Ed) Borasky <zzn...@gmail.com>wrote:

>
>
> On Jan 18, 2:27 pm, Dossy Shiobara <do...@panoptic.com> wrote:
> > Hint: If the data is in RAM at any point in time, your entry-level
> > hacker kiddie can recover the keys in cleartext.
>
> Ayup :-(
>
> >
> > Storing your key on a remote server and fetching it doesn't protect it
> > either.  As long as that key is brought to a machine that an attacker
> > has full control over, it might as well be stored with the app in
> plaintext.
>



-- 
Abraham Williams | Moved to Seattle | May cause email delays
Project | Intersect | http://intersect.labs.poseurtech.com
Hacker | http://abrah.am | http://twitter.com/abraham
This email is: [ ] shareable [x] ask first [ ] private.

Reply via email to