jump to navigation

NOTE: The spam filter is being unusually aggressive. If you comment does not immediately appear, it has simply been placed in moderation and I will approve it as quickly as possible. Thank you for your patience.

"Murphy was an optimist!"

Twitter API Severely Flawed December 3, 2008 12:06 pm

Posted by Doug McCaughan in : Communications, Programming, Software, Technology
, trackback

Twitter’s API (basically a way to let software developer’s work with Twitter’s data) has been a huge factor in Twitter’s success. When Twitter did not provide adequate search, a developer used the API to create http://summize.com/ which was so good that Twitter purchased it and incorporated the code as http://search.twitter.com/. Twitter does not provide stats but numerous developers have created applications such as Twitter Charts and Twitter Stats to provide statistics. (See also: Now You Can Graph Your Twitter Usage) The API has allowed people to get away from the phone and web interfaces by developing desktop applications such as Twhirl and TweetDeck (which includes features not built into Twitter such as grouping of friends). Twitter by default emails you when someone starts following but never tells you when someone quits following so software developers used the API to write Qwitter and Twitterless.

Where’s the flaw? The flaw is in the authentication. Many of these services or applications developed by a third party require you enter your username and password. There is nothing to say that this third party should be trusted and we give them the keys to the kingdom. With that username and password that developer could maliciously use your account for spam, sign you up for other services, or flat out lock you out of your own Twitter account. If one of these services started sending too many Tweets and causing your followers to quit following (see #7) you, the solution is to change your password. But, changing your password also breaks all the other Twitter services you have signed up to use.

What’s the solution? The solution is simple. For each service or application that requires a username and password to access my Twitter data, I should be able to generate a key instead of giving them my password similarly to the way Amazon Web Services works. This would give me the power to list all the services I use from my Twitter profile and to individually and at my own discretion disable each service. From a developer’s standpoint, the process is easy because a key is simply a GUID. The only challenging part to Twitter developers is changing the authentication process and developing the profile screen to manage the keys.

Until Twitter implements a key scheme, I am no longer giving my password out to third party Twitter applications and services (unless they are really cool and look really trustable!). I made an exception today for TwitterFone so I could compare it to Jott.

See also:
Twitter Guide: How To Do Things With Twitter

Update Dec 15, 2008: See also Is Twitterank Ranking Your Popularity Or Stealing Your Password? Others see the same flaw I do.

Update: OAuth looks like a very viable solution.

Update Dec 29, 2008: Alex Payne, The Twitter API Lead developer, confirms that Twitter is testing OAuth! Yes! OAuth is coming.

Update Jan 2, 2009: See also Allen Stern’s Sheep Line Up in Perfect Twitter Formation and Louis Gray’s Twitterank Can Have My Password, No Questions Asked.

Update Jan 3, 2009: I’ve now officially been phished through Twitter. I didn’t bite. I’m betting someone used a 3rd party website that looked legitimate while collecting usernames and passwords (maybe it promised to send @ replies through email or give Twitter stats or something) and then using the Twitter API ran a muck sending direct messages from "trusted" people hoping to get people to click through to the bad website. The one I received:

softclothing Hey, i found a website with your pic on it… LOL check it out here http://twitterblog.access-logins.com/login

Comments after advertisement

Comments»

1. Victor Agreda Jr - December 29, 2008

I think that scoring or ranking thing that hit a few weeks ago sent up a flare on this for me as well. Makes no sense, really, for them not to implement…

2. Doug McCaughan - December 29, 2008

I’ve thought about it for a very long time. Yes, Is Twitterank Ranking Your Popularity Or Stealing Your Password? certainly caused a stir. I made this post before I had heard about the Twitterrank uproar so obviously it is a very apparent flaw to many people.

I hope you are right about the flares.

3. Michael - December 30, 2008

Why not oauth?

4. Tom - December 30, 2008

OAuth, like Duke Nukem Forever, is “on the way”. Supposedly they’re “really close”, according to Al3x.

5. darkua - December 30, 2008

OAUTH! OAUTH! OAUTH!

6. Doug McCaughan - December 30, 2008

OAuth looks very viable. At the time I posted this, I had not looked into OAuth and still have only read about it briefly. As long OAuth gives me the ability to deny one application while keeping another going, it should be a good choice.

If I signup for (let’s make up some fake Twitter applications) ReTwitterApp and I also sign up for TQuoteMeApp and both require my authentication credentials, then I discover that ReTwitterApp is too spammy and I want to deny it, will OAuth make it easy to stop ReTwitterApp from authenticating on my account while letting TQuoteMeApp continue to work? If so, oauth will be excellent.

Tom, glad to hear they are close!

7. Praveen Alavilli - December 30, 2008

OAuth provides Service Providers to enable such revoking functionality too. If you look at the spec, it provides consumer applications/clients a secure way to obtain an access token and secret with out asking for user’s credentials directly by themselves (analogous to amazon web services key/secret pair but even “better” because the user’s do not need to manage the keys & secrets – they are handed over as part of the OAuth protocol).

So in your example, each one of the 3rd party application you signup for will get it’s own token/secret pair by sending you to the Twitter’s authorization page where you authorize their access. After that at any given point of time you can goto your Twitter’s profile page and manage access for those applications.
Best example to look at is http://fireeagle.yahoo.net/ or even Flickr apps to see how the model works.

8. Doug McCaughan - December 30, 2008

Perfect! I look forward to incorporating OAuth into the applications I personally develop.

9. Five Things Twitter Should Do in ‘09 | Twitterrati - January 2, 2009

[…] 4. Make the Twitter API more user-friendly for developers, especially the authentication process. This would make Twitter more secure for users and make it easier for developer to unveil new services. For more on Twitter’s authentication flaws, check out this post by Reality Me. […]

10. Twitter Trackbacks for Reality Me » Twitter API Severely Flawed [realityme.net] on Topsy.com - September 1, 2009

[…] Reality Me » Twitter API Severely Flawed realityme.net/2008/12/03/twitter-api-severely-flawed – view page – cached #RSS 2.0 RSS .92 Atom 0.3 Reality Me » Twitter API Severely Flawed Comments Feed Reality Me He Returns TP Emergency! Straight to /dev/null — From the page […]


trackback