How about letting us know what the changes were...? Apparently I am one of the developers not correctly submitting signatures. I developed my code based on samples in your wiki, and have no clue what is broken with my authentication code (which has been working perfectly for some time.)
On Jul 27, 7:59 pm, Doug Williams <d...@twitter.com> wrote: > As stated above, some applications were sending invalid signatures which we > were accepting as valid. This vulnerability was pointed out by a developer. > > Some libraries and code which may have previously worked may be broken by > this security fix. > > Thanks, > Doug > > On Mon, Jul 27, 2009 at 7:44 PM, Duane Roelands > <duane.roela...@gmail.com>wrote: > > > > > I am receiving 401 (Unauthorized) when calling > >http://twitter.com/statuses/update.xml > > and passing the following querystring: > > > oauth_consumer_key=[removed] > > &oauth_nonce=912352&oauth_signature_method=HMAC- > > SHA1&oauth_timestamp=1248748647&oauth_token=19068738- > > hKO8qRlHPfJWqRHRkd62dGb4IiyXaXUy35Cqz58&oauth_version=1.0&status=This > > +is+a+test&oauth_signature=Fl0kqJdHY5MkvxjUZQ%2bFn%2fxGORo%3d > > > This code was working this afternoon and has not been changed. > > > On Jul 27, 10:38 pm, goodtest <goodtest...@gmail.com> wrote: > > > Are we sure there is no further regression bug in this new fix? > > > > On Jul 27, 7:14 pm, Doug Williams <d...@twitter.com> wrote: > > > > > If you are still seeing errors you should check your code to ensure > > that you > > > > are sending the correct signature. > > > > Thanks, > > > > Doug > > > > > On Mon, Jul 27, 2009 at 7:10 PM, winrich <winric...@gmail.com> wrote: > > > > > > mine broke too. i wonder though, i'm using the oauth python libraries > > > > > > On Jul 27, 6:35 pm, chinaski007 <chinaski...@gmail.com> wrote: > > > > > > Doug: > > > > > > > Does this mean that Marcel made a fix for this? Or rather that we > > > > > > should examine our code to find the culprit? > > > > > > > Thanks, > > > > > > Peter Bray > > > > > > > On Jul 27, 6:24 pm, Doug Williams <d...@twitter.com> wrote: > > > > > > > > Updating you guys on this problem. A bug was reported off list > > that > > > > > informed > > > > > > > us we were not always verifying signatures. Today we shipped a > > fix for > > > > > this > > > > > > > problem which ensures that we are correctly verifying signatures. > > > > > > > If you are still seeing invalid signature errors you should > > examine > > > > > > > your code and ensure you are correctly signing requests > > > > > > > as per the spec. > > > > > > > Thanks, > > > > > > > Doug > > > > > > > > On Mon, Jul 27, 2009 at 6:05 PM, Doug Williams <d...@twitter.com > > > > > > wrote: > > > > > > > > Marcel is shipping a fix for this as I type. > > > > > > > > > Thanks, > > > > > > > > Doug > > > > > > > > > 2009/7/27 João Pereira <joaomiguel.pere...@gmail.com> > > > > > > > > > Same here. > > > > > > > > >> On Tue, Jul 28, 2009 at 1:26 AM, goodtest < > > goodtest...@gmail.com> > > > > > wrote: > > > > > > > > >>> twitter api server seems to be down (getting invalid > > signature) > > > > > since > > > > > > > >>> 5.15 pm pst
