Twitter… About Password Security & OAuth

 

People sharing Twitter passwords with rogue friend apps has been a problem for a few years – I have written quite a few posts warning people of the dangers of sharing passwords with insecure apps, and have also been critical of giant social networks continuing the practice of scraping data from other services using standard password authentication.

Thus I am glad to see Twitter will switch off access to their API using standard authentication of username and password, and providing access only by OAuth.

For that I applaud the Twitter team for taking a positive step for online security.

Do As I Say, Not As I Do?

Twitter are still scraping friend information from email accounts.

Twitter Find Friends

It doesn’t matter what they claim they scrape, or that they claim to not store the information

  • Not using OAuth is now totally hypocritical
  • Twitter have been hacked in the past
  • A few hundred million people giving up their email passwords is quite a valuable target

I realise Facebook only fixed their Friend Finding / Tell-A-Friend system after they purchased Octazen (and shut it down to new customers), but if Twitter expect their developers to use OAuth, the least they should do is use it themselves.

Update

Just saw this in Facebook – I know that Skype contacts are hardly the key to your online business like a Gmail account, but I thought they were finally past all this account scraping crap.

Facebook privacy

Facebook sucks for privacy again… well even more… well you know.

 

Liked this post? Follow this blog to get more. Follow

Comments

  1. says

    This move by Twitter is great, hopefully they’ll continue to make things more and more secure by not scraping anything.

    There is a major problem with privacy at the moment, things are getting more and more open and, whilst there are benefits to being open, having your password scraped like crazy isn’t a good thing.

    • says

      Site get compromised for all kinds of reasons – some of the most innocent as an example are some of the stunts performed to Justin Bieber’s profiles by his “fans” on 4chan and elsewhere.
      It is quite possible someone at Twitter has done a split test and decided that using Oauth will slow their growth by 20% because your average user won’t understand the OAuth process.
      But the more sites that use it, and the more familiarity there is of the risks of giving passwords to sites, that discrepancy in conversion of a viral action goes away.

  2. says

    Hi Andy,
    Now that you are writing about”a better Twitter widget,” are there any chances that the Twitter community gets you back as an active member? Just curious.
    Cheers.

    • says

      The only chance of me going back to Twitter actively as a human would be if they fix the robots.txt and possibly some of the nofollows.

      I might do something like an AndyBot… but I don’t think that is of that much value.

      There are a number of concepts I would like to explore with Twitter, but it is unlikely to happen.

  3. dish network in texas says

    Recently when i access my account on facebook, i get one message regarding scraping friends via skype (As you explained above), but since there are many hacking news i heard about facebook, i don’t believe in using this application.