Home/ Questions/Q 3931116
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-19T23:19:17+00:00

Preamble: This is very close to this question , and I have read this

  • 0

Preamble: This is very close to this question, and I have read this article on how the system works, and the flaws in the current implementation.

We are developing a WordPress plugin (PHP) that requires read-only access to a user’s account, (to access the statuses/home_timeline API method). This plugin will be openly distributed for people to use, and should be as easy to install as possible hence the desire to embed the application keys for a pre-existing application within the plugin code.

I understand that another application could be developed using the keys, but since we are not writing to the account, the risk must be large enough to be worried about when the only alternative is to require every user of the plugin to generate their own application.

Given the above, in what way could our comsumer_key/consumer_secret be used other than as intended, and what could the possible outcomes be, (outside of Twitter-related smackdowns)?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    In general minimal.

    Consumer token pairs ure useless by themselves and the only way to get a users access token pair is to have the user go through the authorization flow on twitter.com. It will be your brand the user sees on the authorization page so if the origin page is presented in to mimic your own brand users will think they are actually giving you access to their account not the actual owner of the origin site. Once a third-party gets ahold of a users access token pair and the app is read only then there are two dangerous actions that can happen. One all private information from their friends protected statuses to their DMs will be accessible through the API. Two they can perform a sort of DOS attack and eat up the users rate limit leaving the API essential useless to them for all non whitelisted third-party applications.

    If the consumer token is used to build a spam farm that is putting a significant drain on Twitter’s resources they might disable or reset the key. At which point all copies of your code would stop working until you get a new key and everybody updates to the new version.

    Let me know if any of this is not clear.

    • 0