Tuesday, October 26, 2010

More Twitter OAuth Stupidity

To borrow from Douglas Adams, Twitter is run by "a bunch of mindless jerks who’ll be the first against the wall when the revolution comes."

Twitter uses the OAuth consumer key to identify client applications. Now they've gone a step further, and are revoking the consumer keys of open source clients that fail to adequately obfuscate the key in the source code. Twidge was disabled yesterday. It was fixed a day later after the developer modified the source to comply with Twitter's requirements. So far, I haven't heard of any other open source clients having problems.

I don't know what Twitter hopes to accomplish with this ridiculous obfuscation requirement. Even if the key is hidden in the source code, it's still available to any one who examines the code. Does the requirement apply to closed source clients? In the above article, the author extracted the consumer key from the binary of the official Twitter Android client. Anyone want to bet it hasn't been fixed?

No comments:

Post a Comment