Feeds

Leaked: The 'secret OAuth app keys' to Twitter's VIP lounge

Rogue apps could pose as micro-blogging site's Very Important Programs

Maximizing your infrastructure through virtualization

Twitter's private OAuth login keys, used by the website's official applications to get preferential treatment from the micro-blogging site, have apparently been leaked. The secret credentials could now allow any software to masquerade as an approved Twitter client.

A set of key pairs uploaded to Github are supposedly used by Twitter for iPhone, Android, iPad, Mac OS X and Windows Phone, Twitter for Google TV, and TweetDeck. Once authenticated, these programs get access to features unavailable to clients that don't have Twitter's approval. But they need to store the keys somewhere on the user's computer or gadget, and it appears someone has found them.

The keys were first posted on the GitHub website five months ago, but were updated within the past day; GitHubbers claim the data is genuine.

So now unapproved apps could send this information to Twitter to impersonate the legitimate clients, circumventing access controls and blocks Twitter imposes on unofficial third-party software, Kaspersky Lab's news service Threatpost noted.

The micro-blogging site can create new keys and secrets for its apps, roll out updated versions of its software with the new login data, and only accept the new credentials - however, that'll break access to anyone who hasn't upgraded.

But before that happens, anyone can, in theory, write any old code that presents itself as an official app to Twitter and thus enjoy all the services available exclusively to the website's own gear, if the leak is genuine.

Twitter has used OAuth to authenticate approved third-party apps such as TweetDeck and others since August 2010. Facebook also uses the technology.

OAuth offers users the ability to sign into Twitter from software clients without having to faff around with usernames and passwords: third-party apps don't store the user's login credentials and their access can be revoked.

But the technology is not without its problems. For example, when Twitter detected a breach last month, and advised 250,000 early adopters of the micro-blogging service to change their passwords, the use of OAuth meant it was still possible for authenticated Twitter clients to post tweets without prompting user for their new password. In effect, Twitter for iPhone, Android, TweetDeck and the rest effectively stayed signed-in.

In the case of this week's Github post, the keys will need to be revoked and new credentials issued in order to resolve the problem - an effort that may just push Twitter into axing support for third-party applications altogether. We have approached Twitter for comment and will update this story if they get back to us. ®

The Essential Guide to IT Transformation

More from The Register

next story
Major problems beset UK ISP filth filters: But it's OK, nobody uses them
It's almost as though pr0n was actually rather popular
Google Nest, ARM, Samsung pull out Thread to strangle ZigBee
But there's a flaw in Google's IP-based IoT system
Orange spent weekend spamming customers with TXTs
Zero, not infinity, is the Magic Number customers want
US freemium mobile network eyes up Europe
FreedomPop touts 'free' calls, texts and data
Apple orders huge MOUNTAIN of 80 MILLION 'Air' iPhone 6s
Bigger, harder trouser bulges foretold for fanbois
'Two-speed internet' storm turns FCC.gov into zero-speed website
Deadline for comments on net neutrality shake-up extended to Friday
NBN Co execs: No FTTN product until 2015
Faster? Not yet. Cheaper? No data
Oh girl, you jus' didn't: Level 3 slaps Verizon in Netflix throttle blowup
Just hook us up to more 10Gbps ports, backbone biz yells in tit-for-tat spat
prev story

Whitepapers

Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.