Why would they have to circumvent anything? The app relies on the user providing valid credentials, no circumvention needed. It just has to mimic an official client.
> Why would they have to circumvent anything? The app relies on the user providing valid credentials, no circumvention needed. It just has to mimic an official client.
Somebody else said they're using oauth. Afaik, instagram does not provide a public API. So it seems like they abused oauth for that?
Presumably "abusing" OAuth means they've just extracted the client ID and client secret from the official app, thus pretending to be the official app to the API.
There's no other way to "abuse" OAuth other than pretending to be an already-authorized client, and obtaining that authorization still ultimately relies on getting the user's username & password and would only be limited to what the client you're impersonating is allowed to access.
reply