hey @twittersecurity – just reviewing https://dev.twitter.com/webhooks/securing … – shouldn’t the HMAC’ed message include the requested URL to prevent MITM?
It's hard to say. I think they are just trying to prove proof of possession of the HMAC key by the other end. If you can respond at $url and
-
-
you don't have the HMAC key, you're not the authorized app, otherwise you are. Allows different apps to share an origin, I guess.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.