Twitter API Doubt

1

In the documentation it says the following:

  

Tokens are passwords   Keep in mind that the consumer key & secret, bearer token credentials, and the bearer token itself grant access to make requests on behalf of an application. These values should be sensitive to passwords, and should not be shared or distributed to untrusted parties.

Translating this:

  

Tokens are passwords   Keep in mind that the consumer key and secret, the bearer token credentials and the bearer token themselves allow access to make requests on behalf of an application. These values should be considered sensitive as passwords and should not be shared or distributed to untrusted parties.

Source: link

I want the user instead of clicking the Signing in to Twitter button using oAuth , he fills out a form with his Twitter data, usuário and senha .

OBS: I do not want to steal information because it is not possible ...

All in all, if Token is senhas , I can retrieve screen_name and use crypt , I do not know if Twitter uses sha1 , so I can retrieve the password too. If anyone knows, please report it here.

Source: link

Am I right or wrong?

    
asked by anonymous 28.05.2017 / 22:46

3 answers

8

What the documentation wants is that the credentials (token, bearer token, secret key ...) should be kept only with you, securely. Once you get this information you will be able to make requests on behalf of your Twitter application.

Anyone who gets their private key (API Secret) can authenticate users by passing through your application. As well as that anyone who has the token / bearer token can also use them as you like on behalf of your application. For example, you can post tweets as if your app was posted, but you did not actually do that.

For this reason, this information can not be shared or distributed, thus remaining with you alone.

  

I want the user instead of clicking on the Login button with Twitter using theAuth, he fills out a form with his Twitter data, username and password.

The official Twitter API, the public API, only allows you to use oAuth. It was built just so users would not enter their credentials for third parties.

There is no official way of doing what you want. What exists are gambiarras. That is to use the private API, the one that twitter uses. Except for mistakes, he had already told us how to do it. You can reverse engineer the twitter mobile application, as well as monitor the requests made by the application.

On the Twitter website you can simply monitor traffic (browsers already have this feature) and then know the endpoints .

You can try searching for someone who has already done this work, including finding people who have already made such information publicly available or even libraries in some language that uses the private API.

Once you have the passwords you can get the session cookie, this is almost a "Token", but the private API. It is usually stored in cookies (or multiple cookies), in case the mobile application API may be encrypted, requiring some reverse engineering to get the keys.

  

NOTE: I do not want to steal information because it is not possible ...

Now, if you ask for the password of other people ... The phrase "I do not want to steal information because it is not possible ..." is a mistake. Not only do you have the ability to "steal" your credentials, but other people can "steal your theft."

Once you request and receive the Twitter passwords you will have the passwords, you have access to such credentials. Even if you use HTTPS, the information is decrypted on your side, at best , and will be stored in "some memory", so you have access.

  

All in all, if the Token are passwords, I can recover the screen_name and use a crypt, I do not know if Twitter uses sha1, so I can recover the password too. If anyone knows, please report it here.

I honestly do not understand what you mean. The Token is random, generated from your private and public key to the user who authorized your application. They are like a password from the point of view of your secrecy, since both your password and both a Token should not be shared, as well as both granting access to make interactions on your behalf.

Except for deception, oAuth2 does not use any encryption in the Token itself, only in its traffic, this is done to make the responses faster and therefore does not require you to encrypt any Token .

If you want to keep the Token extremely secure as much as you can, in my view , it is to use asymmetric encryption and use some HSM to store the keys.

    
29.05.2017 / 04:38
1

Yes Tokens are passwords as the Twitter API documentation says, it uses Base64 with encoder if I am not mistaken.

To transfer to the form, you should not use theAuth because it generates a Token that is passed by $_GET , you will have to find another way to validate your form, remembering what you will have to do for example:

curl_setopt($ch, CURLOPT_URL, "http://www.google.com/");

This is my opinion, and I'm pretty sure I'm correct.

    
28.05.2017 / 23:25
1

Press f12 on the Twitter login page, go to network , press f5 you will see some necessary information.

    
29.05.2017 / 00:54