> On Aug 19, 10:26 am, Andriy Ivanov <tigrus...@gmail.com> wrote: > > I've written Desktop app that usesoAuthto communicate with twitter. > > All the keys/tokens/pin I save in Settings file in my project > > (.NET). Is it safe to do so or what is the better approach to save > > this kind of data? What if all the tokens get in hand of "evil", > > they can impersonate the user using the tokens, right? Why won't > > tokens expire with Twitter? I am knew to internet protocols, so any > > help would be appreciated. Thanks!
> > There was some discussion of this at > http://groups.google.com/group/twitter-development-talk/browse_thread/thread/972b23136fdf9ed8/80d6e999d9dedced?hl=en > > An attacker who knows your consumer key and consumer secret can create > an application that imitates yours. But they can't impersonate a user > unless they have that user's access token and token secret. Right, that takes a social engineering exploit to complete. After obtaining the consumer's keys, the malicious user needs to employ it to impersonate your application so that he can trick your legitimate user into authorizing a new token to replace the existing one. OAuth is written with the implicit understanding that the consumer application lives on a server. In the absence of some scheme for bulk key assignments, distributing your key and secret with the application is the only alternative to running all traffic for your app through your own server. Chris
