On 9/1/2010 6:03 PM, Mike Desjardins wrote:
Yes, and your application's consumer secret ends with the following characters: jOU I obviously know the entire string and have the good sense not to reveal it here. The point is, it's trivially easy for me or anybody else to unzip your "packaged download" and get your secret. You didn't need to send it to me. I can now start spoofing your chrome extension in my Twitter client. I can use your secret to spam the crap out of people, and the folks at Twitter will eventually revoke the key, rendering your chrome extension useless to your users.
And rendering the key useless to the spammer. Besides, if I'm a spammer what makes more sense to me: hijacking consumer key combos one by one and spamming them to the point of cancellation or developing a way to get hundreds of my own keys to do the spamming (again, ignoring the fact that you need user tokens to spam along with those "stolen" consumer key combos). That is unless you assume that spammers are doing it just to screw with programmers and not to make a profit. Is oAuth absolutely safe? No, of course not. No computer, outside of the one locked in a building with no internet connections, outside power sources, or walls, is safe. But oAuth is definitely safer at least from the point of view of the user who only has to worry about shutting off a single app as opposed to changing their password.
-- Twitter developer documentation and resources: http://dev.twitter.com/doc API updates via Twitter: http://twitter.com/twitterapi Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list Change your membership to this group: http://groups.google.com/group/twitter-development-talk?hl=en