Comment by dunham
8 years ago
These guys were probably saved by using OAuth - there is a consumer secret (which the "_key" is just an identifier for) and an access token secret, both of which are not sent over the wire. Just a signature based on them. (The timestamp and nonce prevent replay attacks.)
OAuth2 "simplified" things and just sends the secret over the wire, trusting SSL to keep things safe.
Does this have anything to do with CloudFlare's ambitious attempt to be the first service to proxy your https traffic to your users?
Perhaps the largest MITM ever eh?