Is this a security issue


#1

Hi All,

I would like explain issue in detail.

I created a new twitter application(myCustomTweet) using my account and my application has read/write.I was able to tweet/update my status from this application using oAuth tokens. I developed this application using yql/javascript and java. I am running this application on tomcat(local machine). I have not hosted this application on web.

I created a new twitter account and now I want to tweet from my new account using the application I created. I got access token for this new account from twitter after authorization.

Now with the help of access tokens and consumer tokens I was able to tweet/update from this application to my new account.

Here comes the issue.

Just with the help of access tokens of an account and consumer tokens of application we are able to tweet from this application to my new account.

These access tokens are static.

What if hacker built an application and provided good features and if user registers to this application using oAuth. hacker can store access tokes and will able to hack twitter accounts using these access tokens.

Access tokens should be dynamic.

Thanks,
Mohan