Twitter API Change Highlights Security Issues

Adam DuVander, July 20th, 2009

TwitterA limit to Twitter authentication calls has broken some applications, confusing users and frustrating developers. The microblogging platform now only allows 15 requests to confirm a user’s credentials per hour. Previously there was no published limit and some applications were using well beyond 15.

The reason for the change is well-intentioned on Twitter’s part. Given unlimited attempts, a hacker can guess many passwords using a dictionary attack. Access to some high profile accounts could put you in front of thousands or millions of followers.

An additional problem developers are noting is that Twitter did not notify them. Nothing appears on the API changelog, but the edit does show up on the Twitter wiki’s recent changes.

Applications that authenticate users with OAuth, the generally safer method, are not affected. Using OAuth sends users to Twitter to authorize an application to access their account, rather than sending a password for verification (Basic Auth).

It’s reasonable to expect most users would prefer Twitter staff focus on security over communication. To remain a popular platform, the company will have to do both, because so many users interact with Twitter through 3rd party applications.

Both comments and pings are currently closed.

One Response to “Twitter API Change Highlights Security Issues”

July 21st, 2009
at 12:06 am
Comment by: Scott Aikin

Actually, OAuth users were affected, but Twitter has indicated that they will roll back and re-evaluate this change. Hopefully they will exclude OAuth users this time.

Follow the PW team on Twitter

APIs, mashups and code. Because the world's your programmable oyster.

John Musser
Founder, ProgrammableWeb

Adam DuVander
Executive Editor, ProgrammableWeb. Author, Map Scripting 101. Lover, APIs.