public
re4k / gist:3878505
Last updated

Consumer keys of official Twitter clients

  • Download Gist
  • Link to this gist
gistfile1.md
Markdown
File suppressed. Click to show.

Twitter公式クライアントのコンシューマキー

Twitter for iPhone

Consumer key: IQKbtAYlXLripLGPWd0HUA
Consumer secret: GgDYlkSvaPxGxC4X8liwpUoqKwwr3lCADbz8A7ADU

Twitter for Android

Consumer key: 3nVuSoBZnx6U4vzUxf5w
Consumer secret: Bcs59EFbbsdF6Sl9Ng71smgStWEGwXXKSjYvPVt7qys

Twitter for Google TV

Consumer key: iAtYJ4HpUVfIUoNnif1DA
Consumer secret: 172fOpzuZoYzNYaU3mMYvE8m8MEyLbztOdbrUolU

Twitter for iPad

Consumer key: CjulERsDeqhhjSme66ECg
Consumer secret: IQWdVyqFxghAtURHGeGiWAsmCAGmdW3WmbEx6Hck

Twitter for Mac

Consumer key: 3rJOl1ODzm9yZy63FACdg
Consumer secret: 5jPoQ5kQvMJFDYRNE8bQ4rHuds4xJqhvgNJM4awaE8

Twitter for Windows Phone

Consumer key: yN3DUNVO0Me63IAQdhTfCA
Consumer secret: c768oTKdzAjIYCmpSNIdZbGaG0t6rOhSFQP0S5uC79g

TweetDeck

Consumer key: yT577ApRtZw51q4NPMPPOQ
Consumer secret: 3neq3XqN5fO3obqwZoajavGFCUrC42ZfbrLXy5sCv8
wedtm commented

But what does it all mean, Basil?

j7 commented

@wedtm these are the username/password that application itself uses to authenticate with Twitter. These are supposed to be private, atleast the secret.

medecau commented

This means that anyone can now write apps that look like official apps to twitter.

thilo commented

@medecau Not quite, you have to store callback urls with your app, and the tokens are only handed to that url, so unless you gain control of the domains or the account that registered the apps it won't work.

unclespode commented

That's not entirely true thilo.

I can only speak for normal people creating their own applications - as Twitter may have put more restrictions in for their own apps, but the oauth_callback parameter overrides any callback parameter configured for the applications, so you can redirect it to whatever URL you like.

guidobouman commented

@thilo As far as I know only Facebook has that kind of domain restriction in place. Using the oauth_callback parameter to override the callback url should work just fine.

jbiason commented

Don't forget that Twitter (for iPad/iOS, at least) have XAuth support, which doesn't require going to the webpage. This means anyone can, now, write a desktop app that can't be banned ('cause it will identify itself as "Twitter for iPad/iOS") that doesn't require going all the way through the authorization page.

tcr commented

I've just tested with localhost:3000, the oauth_callback parameter definitely does not matter. Also, the applications are set up as "Desktop" applications, meaning they require out-of-band tokens (including the iPhone/Android/Windows Phone). A test script: https://gist.github.com/tcr/5108489

outrunthewolf commented

You also need to specify callback in the application management tool on twitter for the newer apps. regardless of what you set in your code It doesn't work otherwise

mrmans0n commented

They had it coming.

JonLundy commented

Lets be honest. They only need to send out a version bump for twitter clients and expire these tokens and force you to update. It won't give you god like powers ... At least for long.

rdohms commented

@JonLundy, no but if they have to bump versions everytime someone breaks these keys... then they have a big headache in their hands.

zyga commented

They cannot reasonably upgrade 100s of millions of dumb featurephones that may have those keys embedded in them. I'd say they're hosed if that's true

dlikhten commented

And so the cat and mouse game begins. If twitter bans a token, then all clients stop working, and thus legitimate users will be irate. This will be a good show.

Hopefully Falcon Pro throws the first stone.

brh commented

@dlikhten Doing that will I am sure earn Falcon Pro a lifetime ban, all their users would be rendered useless.

CarlQLange commented

Why am I surprised that @tcr is one of the first the get on this train?

tomasmcguinness commented

Has anyone been able to verify these codes are genuine?

karangb commented

seems like this gist was revised 5 months ago

smartwatermelon commented

@tomasmcguinness the Windows Phone one certainly is. I just used it to tweet from the "t" Ruby client on my Mac.

rdohms commented

@brh, it surely will... but then again.. how will they ban Falcon Pro if they are using someone else's keys :P

jk commented

You people know that those apps are mobile apps? Most of them use pseudo callback URLs and parse the servers redirect for the auth token. So even if twitter enforces matching callback URLs that will not solve the problem here when the 3rd party Apps impersonate the official apps.

DHuckaby commented

They are genuine, I verified the Twitter for Android and the TweetDeck keys personally.

aageboi commented

it works.. awesome.. ^_^

DHuckaby commented

And with no rate limiting as far as I can see...

ghuntley commented

Lesson #1 in business, don't piss off the nerds.

surjikal commented

These keys are just embedded in the apps, no? Is there a way to store these keys securely? Or maybe there's a different way to do auth?

ibmkhd commented

So , is this the same with facebook and G+ official apps (key/secret of them could be revealed)?

mcbyte-it commented

The Android one is genuine, because I was able to extract it from the Twitter APK myself a week ago.

They are stored in the app itself (obviously, otherwise the app will not work), and they are obfuscated, but it is quite easy to reverse (a simple subtraction). I even found another pair that are not mentioned above, maybe an older set?

Key=m9QsrrmJoANGROAiNKaC8g
Secret=[will not publish]

Anyway, Twitter is making it more difficult to extract this data from the apk.
In older version of the apk, you can simply intercept the traffic with an SSL proxy and get the Consume key easily, while the latest version Twitter app does check the signature of the SSL certificate and doesn't work with fake ones.

vevck commented

Verified all the API Keys & Secrets which have been released. They all are valid & work fine.

re4k commented

@mcbyte-it Twitter for Android uses the key to call the sign up API(?).

vorbote commented

Don't be too enthusiastic about this. Twitter has already mitigated the problem following the line of least resistance: They axed all official apps: http://readwrite.com/2013/03/04/twitter-kills-off-tweetdeck-may-2013

mcbyte-it commented

@vorbote They killed the Tweetdeck app, not their official Twitter app...

vorbote commented

@mcbyte-it You missed the part where Twitter kills its 1.0 API[1], which is what these private keys are meant for.

[1] https://dev.twitter.com/blog/planning-for-api-v1-retirement

mcbyte-it commented

@vorbote yes, API v1.0 is going away, but also 1.1 uses Consumer Key / Secret, no?

vishaltelangre commented

Wow! Just successfully tweet'd via Twitter for iPhone, and Twitter for Mac using these app credentials.

DHuckaby commented

@vorbote v1.0 and v1.1 both use oauth. The fact that they deprecated v1.0 doesn't reduce the awesome opportunities we now have with the official keys.

zimok commented

-1 for native apps

renegade88 commented

@DHuckaby agreed, working on something here, would like to talk with you if thats kool,

verdugocarlos commented

Only TweetDeck keys work now. I wasn't able to authenticate with the other ones.

DHuckaby commented

@verdugocarlos They definitely still work, I just tested them to verify. Make sure you read the response that comes from the server.

DHuckaby commented

@renegade88 Sure, comment on my fork here so that we don't trash this guys gist.

Please sign in to comment on this gist.

Something went wrong with that request. Please try again.