Ripping OAuth tokens or other secrets out of TweetDeck, Twitter.app & other apps
timetobleed.comBy its nature, the only way to combat this class of attack is security by obscurity - hence, it should be assumed that OAuth client tokens and client secrets do not provide true protection against unauthorized client applications.
Of course the tokens can be obfuscated, but at some point the tokens must be used in plain-text to sign the OAuth request, and on a device like an iPhone where complete control of execution flow and full address space access is possible (via kernel exploits / jailbreak and a debugger), it's literally impossible to prevent this attack.
Issuing unique per-device device tokens would be an interesting approach, but then a trusted side-band would be necessary to issue the tokens to the device, and a lot of the point of OAuth is moot.
OAuth is still quite useful for user authentication (as to steal per-user tokens requires access to the user's device anyway).
I get this at Mon Aug 20 2012 23:00:37 GMT+0200
Not Found
The requested URL /ripping-oauth-tokens-or-other-secrets-out-of-tweetdeck-twitter-app-and-other-apps/ was not found on this server.
If you go directly to the domain, http://timetobleed.com/, then you can see an image of the post, along with a nice message to Rack Space.