If the attacker does that, the loser is only that user but not the app (parent app) Basically this idea is to shield the apps from being misused.
@taylor So key exchange is done based on consumer key only.(No need to verify the signature?.Makes sense as this is distributed )So any abuse by the end user will only lead to the ban of child app ? (assuming the final auth requests are signed by the generated secrets (chid app secret and user secret only) ) On Sat, Jun 12, 2010 at 2:29 PM, Jef Poskanzer <jef.poskan...@gmail.com>wrote: > I don't understand why you are suggesting this only for open source > programs. Were you thinking that an attacker would be incapable of > decompiling an executable and extracting the secret? >
