Twitter claims that the consumer keys are needed to kill applications used by spammers, but OAuth was simply not designed to be used for that purpose. Additionally, it may not be efficient at all, since spammers will use consumer tokens from official clients, and blocking official clients is not an option. Closing individual spammer accounts makes much more sense.
The consumer tokens are fundamentally insecure when used within a client application. Additionally, requesting the consumer keys to be kept secret effectively kills open-source applications.
Twitter asks developers to protect their keys in an environment where users have complete control over the execution flow and access to full address space, so it’s impossible to prevent keys extraction.
This problem is somehow similar to the DVD / HDMI / HDCP decryption. At some point, the user has to use a machine that will load in memory cryptographic keys that will be use to decrypt the protected content. It’s just a matter of time and motivation until motivated hackers extract the keys and can replicate the decryption process.
Twitter’s uses OAuth for something it is not made for.
It appears from our work that the main reason for switching from basic authentication to OAuth is not user security or spam fighting, but simply third-party applications control.
This post is from 2012, but the details are still interesting.
Stay up-to-date by subscribing to the Comments RSS Feed for this post.