When you develop an app, you usually get two codes – the API key and the secret. Both are used to authorised and identify the app, similar to how your username and password identifies you on Google or Facebook. Well, it appears those two codes for all of Twitter’s official apps have now been published online.
The codes now mean that you could build a Twitter application and piggyback on Twitter’s user token limit – which I assume there isn’t one. It appears to also be genuine, with one Github user commenting, “the Windows Phone one certainly is. I just used it to tweet from the “t” Ruby client on my Mac.”
As well, it’s not that hard to find this information. As noted by The Next Web‘s Harrison Weber, “because of the way OAuth works, this information can’t actually be hidden completely, if you know where to find it.”
But now with the possibility that developers will use these keys to get around Twitter’s highly restrictive user limits, Twitter could reset the API keys and secrets. However, because of how easy it is, crafty developers will be able to find it again unless they add another layer of security allowing the API to recognise it is an official Twitter app. As well, with resetting the API keys and secrets, it does mean Twitter have to reauthorise every user.
The other options include changing the third-party apps restrictions including on the user limits, or – which is highly unlikely – shut down access to all third-parties and/or manually approve every single app using the Twitter API.
This is no doubt very embarrassing for Twitter, but now after this leak – we’ll have to wait and see how Twitter responds. If they loosen restrictions, then the more professional users will be happy, because they don’t have to jump between client to client if they reach the user limit. But if they add more restrictions, then expect a mass exodus of Twitter’s development community.