Wednesday, January 7th, 2009

Detecting twitter users with JavaScript – handy or evil?

Category: Examples, Security

Earlier this week I blogged about a proof of concept that you can detect if a user is logged in to twitter and display their data with a few lines of JavaScript. This could be used to show for example “tweet this” buttons in a blog application.

The trick is easy: use the user_timeline to get the correct data back and provide it with a callback:


  1. function hasTwitter(data){
  2.   // gets the user's real name
  3.   alert(data[0];
  4.   // other data is .screen_name, .location and
  5.   // data[0].text is the latest update
  6. }
  1. <script type="text/javascript"
  2. src="'">
  3. </script>

You can see the proof of concept here. The only problem with the code above is that if the user is not authenticated, Twitter’s API will prompt an authentication dialog. You can work around this one by providing an extra parameter called “suppress_response_codes” which is meant to be used with apps that can only handle 200 response codes and don’t allow for authentication (Flash apps for example):

  1. <script type="text/javascript"
  2. src="'">
  3. </script>

This also means that you need to do your own error handling for cases where the user is not authenticated:


  1. function hasTwitter(data){
  2.   if(data.error){
  3.     alert('No authenticated user');
  4.   } else {
  5.     // gets the user's real name
  6.     alert(data[0];
  7.     // other data is .screen_name, .location and
  8.     // data[0].text is the latest update
  9.   }
  10. }
  1. <script type="text/javascript"
  2. src="'">
  3. </script>

Now, this is pretty cool, but it also caused quite a stir on the twitter developer mailing list as it is a privacy concern. Using this technique I could simulate a user’s homepage, fake an error, ask for re-authentication and phish their login data.

Whilst this is a problem, it is not really Twitter’s fault – if anything then browsers and the lack of secure sandboxes are to blame. Some questions a proof of concept like this throws up are:

  • Do we need something like “tweet this” buttons (as a call to action they can be very effective)?
  • If we do, isn’t it better to only show them when the user is a twitter user instead of cluttering the interface with all kind of buttons?
  • Is a provider-unknown secret like Yahoo’s sign in seal a step in the right direction (educating users instead of patching technology)?
  • Is oAuth the answer?

Posted by Chris Heilmann at 5:06 am

3.6 rating from 23 votes


Comments feed TrackBack URI

Its not really anything new, I have been detecting twitter users names on for a little while now.

Comment by Kinlan — January 7, 2009

with this you could also get the updates of a user whose timeline is protected.

Comment by bunnyhero — January 8, 2009

There are a lot of sites out there who have been trying to capitalize on people’s cookie information in order to provide to them the ability to access many of their social networking sites all at once.

however, there is a whole lot WRONG with the ability to do this. I’ve done my best to explain it here:

Comment by infolock — January 10, 2009

Leave a comment

You must be logged in to post a comment.