Twitter API Change Highlights Security Issues

A limit to Twitter Authentication calls has broken some applications, confusing users and frustrating developers. The microblogging Platform now only allows 15 requests to confirm a user's credentials per hour. Previously there was no published limit and some applications were using well beyond 15.

The reason for the change is well-intentioned on Twitter's part. Given unlimited attempts, a hacker can guess many passwords using a dictionary attack. Access to some high profile accounts could put you in front of thousands or millions of followers.

An additional problem developers are noting is that Twitter did not notify them. Nothing appears on the API changelog, but the edit does show up on the Twitter wiki's recent changes.

Applications that authenticate users with OAuth, the generally safer method, are not affected. Using OAuth sends users to Twitter to authorize an application to access their account, rather than sending a password for verification (Basic Auth).

It's reasonable to expect most users would prefer Twitter staff focus on security over communication. To remain a popular platform, the company will have to do both, because so many users interact with Twitter through 3rd party applications.

Be sure to read the next Security article: How To Secure APIs and Mashups