There was some discussion of this at http://groups.google.com/group/twitter-development-talk/browse_thread/thread/972b23136fdf9ed8/80d6e999d9dedced?hl=en
An attacker who knows your consumer key and consumer secret can create an application that imitates yours. But they can't impersonate a user unless they have that user's access token and token secret. On Aug 19, 10:26 am, Andriy Ivanov <tigrus...@gmail.com> wrote: > I've written Desktop app that usesoAuthto communicate with twitter. > All the keys/tokens/pin I save in Settings file in my project (.NET). > Is it safe to do so or what is the better approach to save this kind > of data? What if all the tokens get in hand of "evil", they can > impersonate the user using the tokens, right? Why won't tokens expire > with Twitter? I am knew to internet protocols, so any help would be > appreciated. Thanks!