Seems like the access_token is accessible for everyone but it should be private?

  • Resolved pixeltokig

    (@pixeltokig)


    7 years, 2 months ago

    Hello!

    One of our partners has noticed that the access_token is wide open for anyone to take and exploit. Shouldn’t it be secured and not accessible for unauthorized users?

    When we see what Instagram has to say they say this:
    https://www.instagram.com/developer/authentication/

    That it should be kept secret. But it is not secret for visitors. Anyone can get it as it is now.

    Or have me misunderstood this and the way you have implemented it is the correct way?

    Thanks in advance!

    Kind regards, Christoffer

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Author smashballoon

    (@smashballoon)

    Hi Christoffer,

    Thanks for the question. Our plugin generates a “read only” token and so there’s no need to be concerned about it being exposed in the source code. The only thing the token has permissions for is viewing the photos and info from your public Instagram account (screenshot) which is already publicly accessible. The tokens that our app authorizes do not have the ability to write to or gain access to your Instagram account, and so there’s no security concern. It is possible for other apps to generate tokens which do have more permissions, in which case those token should be kept private.

    Let me know whether that addresses your concerns, or if you have any other questions at all!

    John

    Thread Starter pixeltokig

    (@pixeltokig)

    Hello!

    Thanks for the explanation! ??

    Awesome plugin btw!

    Kind regards, Christoffer

    Plugin Author smashballoon

    (@smashballoon)

    You’re welcome Christoffer, just let me know if you have any other questions, and glad to hear you like the plugin!

    John

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Seems like the access_token is accessible for everyone but it should be private?’ is closed to new replies.