In muddling through a local implemantation of an OAuth client this
morning I stumbled upon an oddity in the Twitter OAuth process: Even
in the signature is invalid, the Twitter API with return an access
token and an access secret. It's unclear if this is by design
(although it seems unlikely), but other OAuth service providers such
as Google do require correct Authentication in this case.

Here's the issue in a nutshell:
http://gist.github.com/300146

And here's an interactive example demonstrating the issue:
http://gist.github.com/300511

(I should note that even if I'm right and this is an actual
vulnerability in the Twitter API, subsequent and real requests to the
Twitter API still require the consumer secret to be signed correctly.)

Reply via email to