HN2new | past | comments | ask | show | jobs | submitlogin

Couldn't another app use these tokens and take advantage of lax api limits ?


Yes. And that's the point of the disclosure.


Anyone know what are the API limits for these keys? Is Twitter really favoring this key, or is that hypothetical?

Of course, you still have to log in as a user, and Twitter could blacklist accounts that use this key on non-Twitter apps, which are going to have a lot of 'tells' and a specific signature in patterns of how they use the API.

(Twitter could even take advantage of that by hiding a code in a usage pattern, kind of like the POW who blinked in Morse code when he was put on TV)


> Is Twitter really favoring this key, or is that hypothetical?

In at least one way, yes. New third-party Twitter clients are limited to 100k users, but Twitter's official clients are unlimited. If those clients built in a "use your own authentication token" UI, you could put your official client's tokens in and work around that limit.


> Is Twitter really favoring this key, or is that hypothetical?

I don't know about API quotas, but I'm totally sure that they allow more than 100K tokens.


On Android, the foss client Twidere let users change the tokens in the options. https://play.google.com/store/apps/details?id=org.mariotaku....

The Chrome app Hotot too. https://chrome.google.com/webstore/detail/hotot/cnfkkfleeioo...


NekoTsui supports to change consumer key/secret. https://itunes.apple.com/app/nekotsui/id476924886


I think Apple will simply not permit applications that use these keys and are not official clients in the App Store. Looks like something that is pretty easy to automate.


You presume that one would use the keys on iPhone. No reason you couldn't run them on a Linux box in AWS...


I'm not sure why Apple would play police for Twitter, though.


Isn't Twitter integrated into Apple's mobile operating system? Such tight partnerships is plenty reason for them to play police for Twitter.


Yes and no. Apple wants to protect their Twitter partnership, but... Apple knows that there aren't any effective police in the park next door. So the question is whether Apple values their Twitter relationship enough that they're willing to cede most of the future energy and enthusiasm around third-party Twitter clients to Android.

It's possible, but I don't think it is at all an easy call.


How would Apple know that the app uses these keys? If they run something similar to strings then all you have to do is store the keys in some kind of obfuscated form.


Right but as soon as the press find out, and they will, that developer account will be banned. Most devs won't see it as worth the risk.


What responsibility does Apple have to Twitter except the notification center widget?


Twitter did this to themselves. Without the limit, this information is worthless. It'll make sense for an app like Tweetro[1] to add custom token as a feature or easter egg.

1: http://www.theverge.com/2012/11/11/3631108/tweetro-user-toke...


> Without the limit, this information is worthless.

Not true. Say you have a malicious Twitter client app that posts "Lose Weight In 30 days! <link>." Normally, Twitter could shut this offending app down by rejecting their client ID/secret; if they're using the official Twitter creds though, doing so would shut down all official Twitter apps in the process.


They already have spam systems in place to catch repetitive spam tweets and block them.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: