Twitter API Change Highlights Security Issues

A limit to Twitter authentication calls has broken some applications, confusing users and frustrating developers. The microblogging platform now only allows 15 requests to confirm a user's credentials per hour. Previously there was no published limit and some applications were using well beyond 15.

The reason for the change is well-intentioned on Twitter's part. Given unlimited attempts, a hacker can guess many passwords using a dictionary attack. Access to some high profile accounts could put you in front of thousands or millions of followers.

An additional problem developers are noting is that Twitter did not notify them. Nothing appears on the API changelog, but the edit does show up on the Twitter wiki's recent changes.

Applications that authenticate users with OAuth, the generally safer method, are not affected. Using OAuth sends users to Twitter to authorize an application to access their account, rather than sending a password for verification (Basic Auth).

It's reasonable to expect most users would prefer Twitter staff focus on security over communication. To remain a popular platform, the company will have to do both, because so many users interact with Twitter through 3rd party applications.

Adam DuVander The former ProgrammableWeb Executive Editor, Adam is an API expert now helping regular people connect them at Zapier. Previously he worked at API companies SendGrid and Orchestrate, and wrote for Wired and Webmonkey. Adam is also the author of mapping API cookbook Map Scripting 101. Find him at

Comments (1)

Actually, OAuth users were affected, but Twitter has indicated that they will roll back and re-evaluate this change. Hopefully they will exclude OAuth users this time.