Create a gist now

Instantly share code, notes, and snippets.

Consumer keys of official Twitter clients


Twitter for iPhone

Consumer key: IQKbtAYlXLripLGPWd0HUA
Consumer secret: GgDYlkSvaPxGxC4X8liwpUoqKwwr3lCADbz8A7ADU

Twitter for Android

Consumer key: 3nVuSoBZnx6U4vzUxf5w
Consumer secret: Bcs59EFbbsdF6Sl9Ng71smgStWEGwXXKSjYvPVt7qys

Twitter for Google TV

Consumer key: iAtYJ4HpUVfIUoNnif1DA
Consumer secret: 172fOpzuZoYzNYaU3mMYvE8m8MEyLbztOdbrUolU

Twitter for iPad

Consumer key: CjulERsDeqhhjSme66ECg
Consumer secret: IQWdVyqFxghAtURHGeGiWAsmCAGmdW3WmbEx6Hck

Twitter for Mac

Consumer key: 3rJOl1ODzm9yZy63FACdg
Consumer secret: 5jPoQ5kQvMJFDYRNE8bQ4rHuds4xJqhvgNJM4awaE8

Twitter for Windows Phone

Consumer key: yN3DUNVO0Me63IAQdhTfCA
Consumer secret: c768oTKdzAjIYCmpSNIdZbGaG0t6rOhSFQP0S5uC79g


Consumer key: yT577ApRtZw51q4NPMPPOQ
Consumer secret: 3neq3XqN5fO3obqwZoajavGFCUrC42ZfbrLXy5sCv8

But what does it all mean, Basil?

j7 commented Mar 7, 2013

@wedtm these are the username/password that application itself uses to authenticate with Twitter. These are supposed to be private, atleast the secret.


This means that anyone can now write apps that look like official apps to twitter.


@medecau Not quite, you have to store callback urls with your app, and the tokens are only handed to that url, so unless you gain control of the domains or the account that registered the apps it won't work.


That's not entirely true thilo.

I can only speak for normal people creating their own applications - as Twitter may have put more restrictions in for their own apps, but the oauth_callback parameter overrides any callback parameter configured for the applications, so you can redirect it to whatever URL you like.


@thilo As far as I know only Facebook has that kind of domain restriction in place. Using the oauth_callback parameter to override the callback url should work just fine.


Don't forget that Twitter (for iPad/iOS, at least) have XAuth support, which doesn't require going to the webpage. This means anyone can, now, write a desktop app that can't be banned ('cause it will identify itself as "Twitter for iPad/iOS") that doesn't require going all the way through the authorization page.

tcr commented Mar 7, 2013

I've just tested with localhost:3000, the oauth_callback parameter definitely does not matter. Also, the applications are set up as "Desktop" applications, meaning they require out-of-band tokens (including the iPhone/Android/Windows Phone). A test script:


You also need to specify callback in the application management tool on twitter for the newer apps. regardless of what you set in your code It doesn't work otherwise


They had it coming.


Lets be honest. They only need to send out a version bump for twitter clients and expire these tokens and force you to update. It won't give you god like powers ... At least for long.


@JonLundy, no but if they have to bump versions everytime someone breaks these keys... then they have a big headache in their hands.


They cannot reasonably upgrade 100s of millions of dumb featurephones that may have those keys embedded in them. I'd say they're hosed if that's true


And so the cat and mouse game begins. If twitter bans a token, then all clients stop working, and thus legitimate users will be irate. This will be a good show.

Hopefully Falcon Pro throws the first stone.

brh commented Mar 7, 2013

@dlikhten Doing that will I am sure earn Falcon Pro a lifetime ban, all their users would be rendered useless.


Why am I surprised that @tcr is one of the first the get on this train?


Has anyone been able to verify these codes are genuine?


seems like this gist was revised 5 months ago


@tomasmcguinness the Windows Phone one certainly is. I just used it to tweet from the "t" Ruby client on my Mac.


@brh, it surely will... but then again.. how will they ban Falcon Pro if they are using someone else's keys :P

jk commented Mar 7, 2013

You people know that those apps are mobile apps? Most of them use pseudo callback URLs and parse the servers redirect for the auth token. So even if twitter enforces matching callback URLs that will not solve the problem here when the 3rd party Apps impersonate the official apps.


They are genuine, I verified the Twitter for Android and the TweetDeck keys personally.


it works.. awesome.. ^_^


And with no rate limiting as far as I can see...


Lesson #1 in business, don't piss off the nerds.




These keys are just embedded in the apps, no? Is there a way to store these keys securely? Or maybe there's a different way to do auth?


So , is this the same with facebook and G+ official apps (key/secret of them could be revealed)?


The Android one is genuine, because I was able to extract it from the Twitter APK myself a week ago.

They are stored in the app itself (obviously, otherwise the app will not work), and they are obfuscated, but it is quite easy to reverse (a simple subtraction). I even found another pair that are not mentioned above, maybe an older set?

Secret=[will not publish]

Anyway, Twitter is making it more difficult to extract this data from the apk.
In older version of the apk, you can simply intercept the traffic with an SSL proxy and get the Consume key easily, while the latest version Twitter app does check the signature of the SSL certificate and doesn't work with fake ones.


Verified all the API Keys & Secrets which have been released. They all are valid & work fine.


Don't be too enthusiastic about this. Twitter has already mitigated the problem following the line of least resistance: They axed all official apps:


@vorbote They killed the Tweetdeck app, not their official Twitter app...


@mcbyte-it You missed the part where Twitter kills its 1.0 API[1], which is what these private keys are meant for.



@vorbote yes, API v1.0 is going away, but also 1.1 uses Consumer Key / Secret, no?


Wow! Just successfully tweet'd via Twitter for iPhone, and Twitter for Mac using these app credentials.


@vorbote v1.0 and v1.1 both use oauth. The fact that they deprecated v1.0 doesn't reduce the awesome opportunities we now have with the official keys.


-1 for native apps


@DHuckaby agreed, working on something here, would like to talk with you if thats kool,


Only TweetDeck keys work now. I wasn't able to authenticate with the other ones.


@verdugocarlos They definitely still work, I just tested them to verify. Make sure you read the response that comes from the server.


@renegade88 Sure, comment on my fork here so that we don't trash this guys gist.


@DHuckaby awesome, just did....


Hmm, those tokens seem less rate-limited than normal tokens but still have a limit. It would have been too good.


has this been patched yet?


It seems these tokens don't work anymore.


Error 226: This request looks like it might be automated. To protect our users from spam and other malicious activity, we can't complete this action right now.

I've changed IP and account, same error 😮
It happening to everyone?


There's a chance that they are looking at the User Agent String. However, the only way to know for sure if the keys do not work anymore is to try to use a version of a Twitter client that relied on one of these keys. So, assuming they are still supporting these legacy clients, my assumption is probably true since the keys are hardcoded in the binary.


dont think it is working


It does work !

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment