Twitter OAuth API Keys Leaked

Posted: 09/03/2013 in Uncategorized

The OAuth keys and secrets that official Twitter applications use to access users’ Twitter accounts have been leaked in a post to Github this morning.

The consumer keys and secrets, which function similarly to a username and password, were posted for Twitter for iPhone, Android, iPad, Mac, Windows Phone and TweetDeck. Unapproved third-party applications can now use these secrets to impersonate legitimate third-party apps and circumvent any access control measures Twitter has in place for unofficial apps.

“In OAuth, the consumer keys identify your application (eg. if you had a third-party Twitter client like HootSuite). Therefore, the impact is that someone can take your app’s consumer key and use the OAuth API pretending to be your application (eg. I can make API calls pretending to be the HootSuite application),” said Jon Oberheide, CTO and cofounder of Duo Security, a hosted two-factor authentication service for mobile devices. Oberheide downplayed the security implications of the lead, adding that there could be indirect risks that are specific to a particular application or service.

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s