Yes, and your application's consumer secret ends with the following characters: jOU
I obviously know the entire string and have the good sense not to reveal it here. The point is, it's trivially easy for me or anybody else to unzip your "packaged download" and get your secret. You didn't need to send it to me. I can now start spoofing your chrome extension in my Twitter client. I can use your secret to spam the crap out of people, and the folks at Twitter will eventually revoke the key, rendering your chrome extension useless to your users. Don't feel bad, it takes even less skill to get the consumer secret for the twitter client that I wrote. It's not even zipped. Download it and grep the source if you want to... you can spoof me, too! OAuth is not just broken for open source apps, it's broken for any app that resides on a client's computer... it's just slightly worse for open source applications because we have to go through the extra effort of not sharing our secrets along with the source code, if only to pretend that it's somehow making the secret "safer." It's not. If you embed a secret into an application that lives on someone else's PC, that secret will be uncovered eventually if it's worth the effort. .mike On Sep 1, 7:08 pm, Abraham Williams <4bra...@gmail.com> wrote: > I have an open source Twitter client for Google Chrome and this is how I > distribute it. > > The source is available with no API key. If developers wish to play with the > source they must register their own OAuth application. > > http://github.com/abraham/omnitweet > > For users there is a packaged download that includes an API key. They just > install the extension and off they go. > > http://github.com/abraham/omnitweet/downloads > > Abraham > ------------- > Abraham Williams | Hacker Advocate |http://abrah.am > @abraham |http://projects.abrah.am|http://blog.abrah.am > This email is: [ ] shareable [x] ask first [ ] private. > > > > On Wed, Sep 1, 2010 at 15:58, John Meyer <john.l.me...@gmail.com> wrote: > > On 8/19/2010 11:50 AM, briandunnington wrote: > > >> as Julio stated above, the official response from Taylor (in another > >> thread) was that this solution will *not* be rolled out. there is > >> currently no other alternative being offered other. > > >> and just to repeat what has already been said a few time in this > >> thread - this is not just a problem with open source apps. any app > >> that is distributed (ie: not running on your own web server) has this > >> problem. i read on Daring Fireball the other day about a new Twitter > >> app called Hibari, so i downloaded it and got the consumer key and > >> secret within a couple of minutes. others apps are just as susceptible > >> - any time the user has the code, the secret must be considered > >> unsecure. > > > And that assumes that you distribute the consumerkey and consumersecret > > with the app. Nothing about Open Source requires this. You could just as > > easily just distribute the source and require that users obtain their own > > ConsumerKey combos. > > > -- > > Twitter developer documentation and resources:http://dev.twitter.com/doc > > API updates via Twitter:http://twitter.com/twitterapi > > Issues/Enhancements Tracker: > >http://code.google.com/p/twitter-api/issues/list > > Change your membership to this group: > >http://groups.google.com/group/twitter-development-talk?hl=en -- Twitter developer documentation and resources: http://dev.twitter.com/doc API updates via Twitter: http://twitter.com/twitterapi Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list Change your membership to this group: http://groups.google.com/group/twitter-development-talk?hl=en
