Twitter API Change Highlights Security Issues

Adam DuVander
Jul. 20 2009, 12:01AM EDT

A limit to Twitter authentication calls has broken some applications, confusing users and frustrating developers. The microblogging platform now only allows 15 requests to confirm a user's credentials per hour. Previously there was no published limit and some applications were using well beyond 15.

The reason for the change is well-intentioned on Twitter's part. Given unlimited attempts, a hacker can guess many passwords using a dictionary attack. Access to some high profile accounts could put you in front of thousands or millions of followers.

An additional problem developers are noting is that Twitter did not notify them. Nothing appears on the API changelog, but the edit does show up on the Twitter wiki's recent changes.

Applications that authenticate users with OAuth, the generally safer method, are not affected. Using OAuth sends users to Twitter to authorize an application to access their account, rather than sending a password for verification (Basic Auth).

It's reasonable to expect most users would prefer Twitter staff focus on security over communication. To remain a popular platform, the company will have to do both, because so many users interact with Twitter through 3rd party applications.

Adam DuVander Hi! I'm Developer Communications Director for SendGrid and former Executive Editor of ProgrammableWeb. I currently serve as a Contributing Editor. If you have API news, or are interested in writing for ProgrammableWeb, please contact editor@programmableweb.com Though I'm a fan of anything API-related, my particular interest is in mapping. I've published a how-to book, Map Scripting 101, to get anyone started making maps on websites. In a not-so-distant past life I wrote for Wired and Webmonkey.

Comments

Comments(1)