This article was published on March 7, 2013

Twitter’s API keys and secrets for its official apps surface; what should we do with them?

Twitter’s API keys and secrets for its official apps surface; what should we do with them?

It appears that Twitter’s API keys and secrets for its official apps have surfaced, and are currently being shared on GitHub.

Note: The combination of API keys and secrets are used to authorize and identify an app, similarly to a username and password.

At first look, this is simply a little embarrassing. The keys and secrets which Twitter’s official apps utilize through its API have leaked, but because of the way OAuth works, this information can’t actually be hidden completely, if you know where to find it.

The embarrassing bit simply comes from the fact that Twitter will have to reset its keys and secrets now that they’re completely out in the open. But unless someone is looking to build a malicious app, this shouldn’t actually be a problem…if every app that used Twitter’s API was treated equally.

But that’s clearly not how it works anymore.

Twitter’s own apps get preferential treatment — that’s nothing new — meaning that now third-party apps could now presumably use these leaked keys and secrets to work around Twitter’s strict limitations.

As you may have guessed, yes, Twitter can just reset its APIs (and then have to update its apps — breaking older versions in the process — which means it could be days before this is fixed unless Apple gives them preferential treatment). But then someone could just go back in and leak the keys again. Now, Twitter appears to have three choices:

  1. It can continue resetting its API keys and secrets, leading to a “long cat and mouse game of twitter updating their keys and using heuristics to recognize their own client followed by twitter clients providing a way to change the client secret,” in the words of Hacker News user pilif.
  2. It can loosen up the restrictions on third-party apps (nah)
  3. It can completely shut down third-party access to its API

The important thing to remember here is that if this was any other client using any other service’s APIs, this would just look like a fumble. But this isn’t any other client. It’s Twitter’s official clients on its own service. It brings up the conversation, yet again, about what Twitter must do about its API restrictions and third-party community.

h/t: Cullen MacDonald

Image credit: Oli Scarff/Getty Images