I was thinking about this quite a few times: doesn't it mean that all this OAuth... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		imrehg on Aug 21, 2012 \| parent \| context \| favorite \| on: Ripping OAuth tokens out of Twitter apps I was thinking about this quite a few times: doesn't it mean that all this OAuth things are broken from the start, since once you give the binary to the people, the could just get the secret out and reuse it another way? The TOS of all these APIs all say that "you have to keep your Secret secret, or else!", but fundamentally there's no way to really do that, is there?

DasIch on Aug 21, 2012 [–]

It just compromises the application identity, it still does not give you access to anything useful and it will probably be noticed if you use it on any significant scale.

However, OAuth is indeed a bad way to authenticate for applications that run on devices in the possession of third parties.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact