The consumer secret is not public.  The consumer key can be seen in the
query parameters, but the consumer secret is not a query parameter.  It
would have to be reverse engineered using the signature.

If twitter determines that a specific application is malware, I would only
hope that they would blacklist the app.


Sent from my DROID

On Jan 18, 2010 10:45 PM, "Marc Mims" <> wrote:

* Isaiah Carew <> [100118 19:02]:

> If every person that uses an app accesses the API with their own personal
app credentials that wou...
Hopefully twitter suspends user accounts, not application access, when
malicious activity is detected.  Otherwise, all desktop apps, whether
closed or open source, are vulnerable.

It isn't difficult to extract the consumer key and secret from any
desktop application that ships with them and use them in malicious code.

Registering a consumer key/secret for every instance of a desktop
application seems like an unreasonable requirement to place on users.
So, I agree that isn't the solution.  I certainly want to see the user
count on my OAuth apps page for the desktop apps I release.  Per user
consumer keys not only prevent Twitter from application tracking, they
also prevent the application developer from tracking it as well.

Consider the consumer key and secret public for desktop apps.  They are.


Reply via email to