Posted on 10 Comments

Twitter API Severely Flawed

Twitter’s API (basically a way to let software developer’s work with Twitter’s data) has been a huge factor in Twitter’s success. When Twitter did not provide adequate search, a developer used the API to create which was so good that Twitter purchased it and incorporated the code as Twitter does not provide stats but numerous developers have created applications such as Twitter Charts and Twitter Stats to provide statistics. (See also: Now You Can Graph Your Twitter Usage) The API has allowed people to get away from the phone and web interfaces by developing desktop applications such as Twhirl and TweetDeck (which includes features not built into Twitter such as grouping of friends). Twitter by default emails you when someone starts following but never tells you when someone quits following so software developers used the API to write Qwitter and Twitterless.

Where’s the flaw? The flaw is in the authentication. Many of these services or applications developed by a third party require you enter your username and password. There is nothing to say that this third party should be trusted and we give them the keys to the kingdom. With that username and password that developer could maliciously use your account for spam, sign you up for other services, or flat out lock you out of your own Twitter account. If one of these services started sending too many Tweets and causing your followers to quit following (see #7) you, the solution is to change your password. But, changing your password also breaks all the other Twitter services you have signed up to use.

What’s the solution? The solution is simple. For each service or application that requires a username and password to access my Twitter data, I should be able to generate a key instead of giving them my password similarly to the way Amazon Web Services works. This would give me the power to list all the services I use from my Twitter profile and to individually and at my own discretion disable each service. From a developer’s standpoint, the process is easy because a key is simply a GUID. The only challenging part to Twitter developers is changing the authentication process and developing the profile screen to manage the keys.

Until Twitter implements a key scheme, I am no longer giving my password out to third party Twitter applications and services (unless they are really cool and look really trustable!). I made an exception today for TwitterFone so I could compare it to Jott.

See also:
Twitter Guide: How To Do Things With Twitter

Update Dec 15, 2008: See also Is Twitterank Ranking Your Popularity Or Stealing Your Password? Others see the same flaw I do.

Update: OAuth looks like a very viable solution.

Update Dec 29, 2008: Alex Payne, The Twitter API Lead developer, confirms that Twitter is testing OAuth! Yes! OAuth is coming.

Update Jan 2, 2009: See also Allen Stern’s Sheep Line Up in Perfect Twitter Formation and Louis Gray’s Twitterank Can Have My Password, No Questions Asked.

Update Jan 3, 2009: I’ve now officially been phished through Twitter. I didn’t bite. I’m betting someone used a 3rd party website that looked legitimate while collecting usernames and passwords (maybe it promised to send @ replies through email or give Twitter stats or something) and then using the Twitter API ran a muck sending direct messages from "trusted" people hoping to get people to click through to the bad website. The one I received:

softclothing Hey, i found a website with your pic on it… LOL check it out here