Thursday, January 29th, 2009p>This morning I had a fun email (in 60 pixel letters) concerning TweetEffect – a Twitter analysis tool I’ve written (details on my blog). In essence I was being accused of making protected updates of the Twitter user available to the world.
I tried it out and couldn’t reach their updates. I then started wondering what on earth would have given that person the idea that a tool that needs no authentication and uses the API output of the user timeline could breach the security of their protected updates. If I tried to access the timeline of a protected user, the API rightfully asks me to authenticate.
However it then dawned on me: the complaining user was logged into Twitter and thus could see the data without being asked to authenticate. So I was about to dismiss the problem and explained that this is not much more of a security breach as the old trick of showing someone a web page with an iframe pointing to their harddrive content via file://.
However, things are not as easy – as followers of this person that are allowed to see the updates – friends so to say – can also get to this data via the API. So in order to get to someone’s protected updates I could do the following:
- Sign into Twitter
- Click the followers link of the user and find a trusting person
- Send this person a “look at the cute kitten” link that contains some clever code
This is a problem, especially as disallowing that would break most Twitter clients. I can think of a few solutions: disallow the listing of followers of users with protected updates for non-followers or instead of doing a “protected updates” replace this feature with “trusted friends” groups and an own API.
In any case, it shows again that staying logged in and trying to protect information from going out when using a browser environment is simply not a clever idea.
Posted by Chris Heilmann at 2:13 pm