Abraham,

Twitter will have to do something to combat application impersonation.

Let's say your app is MyAppName and your URL is http://www.myappname.com.

Currently, anyone can register an app MyApppName or MyAppnName and
give http://www.myappname.com as the URL for the app, with zero
verification. They can do all kinds of naughty things, and your app is
going to take the blame for it in most users' minds.

On Jan 31, 3:19 pm, Abraham Williams <4bra...@gmail.com> wrote:
> I would like to point out the official Flickr Uploadr application that is
> OAuth and open source. If you download it as a user [1] it includes their
> official API keys but if you download it as a developer [2] you implement
> your own API keys.
>
> Ironically all of these massive threads talking about impersonating
> applications is probably just making more crackers aware that they can do
> this. :-/
>
> Abraham
>
> [1]http://www.flickr.com/tools/uploadr/
> [2]http://code.flickr.com/trac/browser/trunk/uploadr/README.osx#L76
>
>
>
> On Sun, Jan 31, 2010 at 10:06, Josh Roesslein <jroessl...@gmail.com> wrote:
> > That's not all that secure, eventually it will be loaded into memory
> > and can be found by any hacker with some patience. As soon as you
> > distribute any sort of data it is no longer private. You're average
> > Joe might not be able to find it, but any skilled hacker will. And
> > after all the average Joe does not care anyways about OAuth tokens
> > ("what's oauth?"), but hackers do. So you're kind of blocking the
> > wrong person, it's the hacker you want to stop.
>
> > Josh
>
> > On Sun, Jan 31, 2010 at 2:28 AM,  <scott.a.herb...@googlemail.com> wrote:
> > > I 100% agree.
>
> > > But another idea just struck me, why not put the OAuth part of your app
> > in a DLL (at lest the authentication and communication with twitter part)
> > and hard code it their.
>
> > > You lose some of the open source nature of the app but it will be secure.
>
> > > Sent using BlackBerry® from Orange
>
> > > -----Original Message-----
> > > From: Cameron Kaiser <spec...@floodgap.com>
> > > Date: Sat, 30 Jan 2010 23:02:18
> > > To: <twitter-development-talk@googlegroups.com>
> > > Subject: Re: [twitter-dev] Re: a security problem puzzled me about using
> > oauth
> > >        in  Desktop Client
>
> > >> OAuth as-is just wasn't designed for desktop apps, period. Square peg,
> > >> round hole. If Twitter is insisting on it, I'd rather this was
> > >> portrayed as a trade-off for increased user security, than a solvable
> > >> problem -- I don't think it is.
>
> > > +1
>
> > > --
> > > ------------------------------------ personal:
> >http://www.cameronkaiser.com/--
> > >  Cameron Kaiser * Floodgap Systems *www.floodgap.com*
> > ckai...@floodgap.com
> > > -- "I'd love to go out with you, but I'm in perpetual denial."
> > ----------------
>
> --
> Abraham Williams | Community Advocate |http://abrah.am
> Project | Out Loud |http://outloud.labs.poseurtech.com
> This email is: [ ] shareable [x] ask first [ ] private.
> Sent from Seattle, WA, United States

Reply via email to