

Ripping OAuth tokens or other secrets out of TweetDeck, Twitter.app & other apps - micrypt
http://timetobleed.com/ripping-oauth-tokens-or-other-secrets-out-of-tweetdeck-twitter-app-and-other-apps/ 

======
bri3d
By its nature, the only way to combat this class of attack is security by
obscurity - hence, it should be assumed that OAuth client tokens and client
secrets do not provide true protection against unauthorized client
applications.

Of course the tokens can be obfuscated, but at some point the tokens must be
used in plain-text to sign the OAuth request, and on a device like an iPhone
where complete control of execution flow and full address space access is
possible (via kernel exploits / jailbreak and a debugger), it's literally
impossible to prevent this attack.

Issuing unique per-device device tokens would be an interesting approach, but
then a trusted side-band would be necessary to issue the tokens to the device,
and a lot of the point of OAuth is moot.

OAuth is still quite useful for user authentication (as to steal per-user
tokens requires access to the user's device anyway).

------
anaran
I get this at Mon Aug 20 2012 23:00:37 GMT+0200

Not Found

The requested URL /ripping-oauth-tokens-or-other-secrets-out-of-tweetdeck-
twitter-app-and-other-apps/ was not found on this server.

~~~
testing12341234
If you go directly to the domain, <http://timetobleed.com/>, then you can see
an image of the post, along with a nice message to Rack Space.

