Skip to content
Create a gist now

Instantly share code, notes, and snippets.

Consumer keys of official Twitter clients

Twitter公式クライアントのコンシューマキー

Twitter for iPhone

Consumer key: IQKbtAYlXLripLGPWd0HUA
Consumer secret: GgDYlkSvaPxGxC4X8liwpUoqKwwr3lCADbz8A7ADU

Twitter for Android

Consumer key: 3nVuSoBZnx6U4vzUxf5w
Consumer secret: Bcs59EFbbsdF6Sl9Ng71smgStWEGwXXKSjYvPVt7qys

Twitter for Google TV

Consumer key: iAtYJ4HpUVfIUoNnif1DA
Consumer secret: 172fOpzuZoYzNYaU3mMYvE8m8MEyLbztOdbrUolU

Twitter for iPad

Consumer key: CjulERsDeqhhjSme66ECg
Consumer secret: IQWdVyqFxghAtURHGeGiWAsmCAGmdW3WmbEx6Hck

Twitter for Mac

Consumer key: 3rJOl1ODzm9yZy63FACdg
Consumer secret: 5jPoQ5kQvMJFDYRNE8bQ4rHuds4xJqhvgNJM4awaE8

Twitter for Windows Phone

Consumer key: yN3DUNVO0Me63IAQdhTfCA
Consumer secret: c768oTKdzAjIYCmpSNIdZbGaG0t6rOhSFQP0S5uC79g

TweetDeck

Consumer key: yT577ApRtZw51q4NPMPPOQ
Consumer secret: 3neq3XqN5fO3obqwZoajavGFCUrC42ZfbrLXy5sCv8
@wedtm
wedtm commented Mar 7, 2013

But what does it all mean, Basil?

@j7
j7 commented Mar 7, 2013

@wedtm these are the username/password that application itself uses to authenticate with Twitter. These are supposed to be private, atleast the secret.

@medecau
medecau commented Mar 7, 2013

This means that anyone can now write apps that look like official apps to twitter.

@thilo
thilo commented Mar 7, 2013

@medecau Not quite, you have to store callback urls with your app, and the tokens are only handed to that url, so unless you gain control of the domains or the account that registered the apps it won't work.

@unclespode

That's not entirely true thilo.

I can only speak for normal people creating their own applications - as Twitter may have put more restrictions in for their own apps, but the oauth_callback parameter overrides any callback parameter configured for the applications, so you can redirect it to whatever URL you like.

@guidobouman

@thilo As far as I know only Facebook has that kind of domain restriction in place. Using the oauth_callback parameter to override the callback url should work just fine.

@jbiason
jbiason commented Mar 7, 2013

Don't forget that Twitter (for iPad/iOS, at least) have XAuth support, which doesn't require going to the webpage. This means anyone can, now, write a desktop app that can't be banned ('cause it will identify itself as "Twitter for iPad/iOS") that doesn't require going all the way through the authorization page.

@tcr
tcr commented Mar 7, 2013

I've just tested with localhost:3000, the oauth_callback parameter definitely does not matter. Also, the applications are set up as "Desktop" applications, meaning they require out-of-band tokens (including the iPhone/Android/Windows Phone). A test script: https://gist.github.com/tcr/5108489

@outrunthewolf

You also need to specify callback in the application management tool on twitter for the newer apps. regardless of what you set in your code It doesn't work otherwise

@mrmans0n
mrmans0n commented Mar 7, 2013

They had it coming.

@JonLundy
JonLundy commented Mar 7, 2013

Lets be honest. They only need to send out a version bump for twitter clients and expire these tokens and force you to update. It won't give you god like powers ... At least for long.

@rdohms
rdohms commented Mar 7, 2013

@JonLundy, no but if they have to bump versions everytime someone breaks these keys... then they have a big headache in their hands.

@zyga
zyga commented Mar 7, 2013

They cannot reasonably upgrade 100s of millions of dumb featurephones that may have those keys embedded in them. I'd say they're hosed if that's true

@dlikhten
dlikhten commented Mar 7, 2013

And so the cat and mouse game begins. If twitter bans a token, then all clients stop working, and thus legitimate users will be irate. This will be a good show.

Hopefully Falcon Pro throws the first stone.

@brh
brh commented Mar 7, 2013

@dlikhten Doing that will I am sure earn Falcon Pro a lifetime ban, all their users would be rendered useless.

@CarlQLange

Why am I surprised that @tcr is one of the first the get on this train?

@tomasmcguinness

Has anyone been able to verify these codes are genuine?

@karangb
karangb commented Mar 7, 2013

seems like this gist was revised 5 months ago

@smartwatermelon

@tomasmcguinness the Windows Phone one certainly is. I just used it to tweet from the "t" Ruby client on my Mac.

@rdohms
rdohms commented Mar 7, 2013

@brh, it surely will... but then again.. how will they ban Falcon Pro if they are using someone else's keys :P

@jk
jk commented Mar 7, 2013

You people know that those apps are mobile apps? Most of them use pseudo callback URLs and parse the servers redirect for the auth token. So even if twitter enforces matching callback URLs that will not solve the problem here when the 3rd party Apps impersonate the official apps.

@DHuckaby
DHuckaby commented Mar 8, 2013

They are genuine, I verified the Twitter for Android and the TweetDeck keys personally.

@aageboi
aageboi commented Mar 8, 2013

it works.. awesome.. ^_^

@DHuckaby
DHuckaby commented Mar 8, 2013

And with no rate limiting as far as I can see...

@ghuntley
ghuntley commented Mar 8, 2013

Lesson #1 in business, don't piss off the nerds.

@PhotoPaul

ghuntley++;

@surjikal
surjikal commented Mar 8, 2013

These keys are just embedded in the apps, no? Is there a way to store these keys securely? Or maybe there's a different way to do auth?

@ibmkhd
ibmkhd commented Mar 8, 2013

So , is this the same with facebook and G+ official apps (key/secret of them could be revealed)?

@mcbyte-it

The Android one is genuine, because I was able to extract it from the Twitter APK myself a week ago.

They are stored in the app itself (obviously, otherwise the app will not work), and they are obfuscated, but it is quite easy to reverse (a simple subtraction). I even found another pair that are not mentioned above, maybe an older set?

Key=m9QsrrmJoANGROAiNKaC8g
Secret=[will not publish]

Anyway, Twitter is making it more difficult to extract this data from the apk.
In older version of the apk, you can simply intercept the traffic with an SSL proxy and get the Consume key easily, while the latest version Twitter app does check the signature of the SSL certificate and doesn't work with fake ones.

@vevck
vevck commented Mar 8, 2013

Verified all the API Keys & Secrets which have been released. They all are valid & work fine.

@palopezv
palopezv commented Mar 9, 2013

Don't be too enthusiastic about this. Twitter has already mitigated the problem following the line of least resistance: They axed all official apps: http://readwrite.com/2013/03/04/twitter-kills-off-tweetdeck-may-2013

@mcbyte-it

@vorbote They killed the Tweetdeck app, not their official Twitter app...

@palopezv
palopezv commented Mar 9, 2013

@mcbyte-it You missed the part where Twitter kills its 1.0 API[1], which is what these private keys are meant for.

[1] https://dev.twitter.com/blog/planning-for-api-v1-retirement

@mcbyte-it

@vorbote yes, API v1.0 is going away, but also 1.1 uses Consumer Key / Secret, no?

@vishaltelangre

Wow! Just successfully tweet'd via Twitter for iPhone, and Twitter for Mac using these app credentials.

@DHuckaby

@vorbote v1.0 and v1.1 both use oauth. The fact that they deprecated v1.0 doesn't reduce the awesome opportunities we now have with the official keys.

@0m15
0m15 commented Mar 10, 2013

-1 for native apps

@renegade88

@DHuckaby agreed, working on something here, would like to talk with you if thats kool,

@verdugocarlos

Only TweetDeck keys work now. I wasn't able to authenticate with the other ones.

@DHuckaby

@verdugocarlos They definitely still work, I just tested them to verify. Make sure you read the response that comes from the server.

@DHuckaby

@renegade88 Sure, comment on my fork here so that we don't trash this guys gist.

@renegade88

@DHuckaby awesome, just did....

@MrPointVirgule

Hmm, those tokens seem less rate-limited than normal tokens but still have a limit. It would have been too good.

@wmpay
wmpay commented Nov 20, 2014

has this been patched yet?

@cgrs
cgrs commented Jan 5, 2015

It seems these tokens don't work anymore.

@ibruno
ibruno commented Jul 15, 2015

Error 226: This request looks like it might be automated. To protect our users from spam and other malicious activity, we can't complete this action right now.

I've changed IP and account, same error 😮
It happening to everyone?

@tiabas
tiabas commented Aug 12, 2015

There's a chance that they are looking at the User Agent String. However, the only way to know for sure if the keys do not work anymore is to try to use a version of a Twitter client that relied on one of these keys. So, assuming they are still supporting these legacy clients, my assumption is probably true since the keys are hardcoded in the binary.

@ydaniels
ydaniels commented Nov 2, 2015

dont think it is working

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.