Our app used to ask for Twitter write permission in order to provide "follow" buttons. It was infuriating: we only wanted to be able to follow/unfollow for people (since our site used Twitter's social graph rather than rolling our own) but in order to do so we had to ask for full write permissions, which caused people to freak out and assume we wanted to tweet on their behalf or make changes to their profile.
Contrast with Facebook which has a much better implementation of finely grained permissions where you can opt to only ask for the permissions your application needed.
In the end, we switched to asking for read-only permissions for most users and let them upgrade to read-write the first time they wanted to perform a Twitter-write operation. This was a hassle from an engineering point of view but did completely eliminate complains about us asking for too much access: http://lanyrd.com/blog/2012/twitter-read-only/
We eventually moved to our own social graph, which eliminated the need to update Twitter's graph from our interface entirely.
> Contrast with Facebook which has a much better implementation of finely grained permissions where you can opt to only ask for the permissions your application needed.
Facebook's minimum level of permissions is still infuriatingly broad. I hate getting "why do you need my friends list and public profile?!" feedback on our Facebook apps. If I could opt out of them, I would - often, I just want your FB ID and e-mail!
E-mail, sure. Facebook ID? No. Most people don't have that 10-20 digit number memorized, and Facebook doesn't really show it anywhere other than the APIs these days either.
I had to look up who Carl Icahn is (http://en.wikipedia.org/wiki/Carl_Icahn); he's a large-scale investor which is why the quoted tweet about plans to invest further in Apple caused Apple's stock to become more valuable.
It's a good thing I only ask for read access, not write. Write access is getting pretty useless as people have started to ignore people's tweets since there are so much noise.
Tweets sent by apps(ie Foursquare checkins) are usually easily detected by regular users. Those are the ones being ignored by users, sort of like banner ad blindness.
I wonder when we will stop speaking in hyperbole about stock price changes.
"In April of this year crackers got hold of the Associated Press Twitter account and wiped an estimated $135Bn off the S&P 500 Index by tweeting that explosions at the White House had injured president Obama."
And the stock market rebounded and then some over the coming weeks, reaching new recent highs in May and June... So the effect lasted... a couple of hours?
When people talk about stock market value being "wiped out", they neglect to say that the market fully recovered later that afternoon, or that the market is higher today than it was back then. If you can't acknowledge that stock prices change every second, and that dips or rises are often temporary moments that affect very few shareholders of that company, then the phrase "billions of dollars was wiped out" is just meaningless hyperbole.
Not sure why this is something that is particularly the worry of developers. Such havoc can be wreaked through simple phishing at the user-level. Even at major organizations, two-factor or OAuth authentication may not be the standard, meaning that a market-changing Tweet is just one well-crafted email away. That seems like by far the easiest attack vector for a hacker.
One of the biggest problems with Twitter security is the aspect of revocation of app access in the event of, say, a compromised password.
In cases like that, you need some kind of panic button to eliminate all threats, instead of having to go through every single app and delete their access to be safe.
While theoretically true, I think for most accounts the risk is fairly small: I'm sure it's hard to come up with something to tweet from my account that moves any stock exchange even a penny.
Your account maybe, but what about all those traders, FDA, SEC or FED people? Or NGO's? Majors?
I think if you really try even your account could move a stock. Think about it: A tweet with location (in front of a big company's CEO's house) early in the morning when you know the 'target' is commuting, flying or otherwise offline, followed by a tweet 'just killed the bastard' with a fake photoshopped picture of a body'. If someone was to target a person with a love of guns on their timeline... well things could get messy real quick.
I'm surprised Icahn is allowed to have a twitter. Regulators used to limit access to certain information sharing outlets for those in positions of influence, e.g. certain high level bank official could not have BBM (I know right) active on their Blackberries because of the risk of insider trading. When a tweet has the power to move the market it should probably be treated the same.
Information that moves the market is allowed, as long as all investors have access to the information.
There was some contention about that last year with the NetFlix CEO releasing subscriber numbers on Twitter that affected the stock, but the SEC issued guidance earlier this year that said that disclosure on Twitter and Facebook were ok, as long as the accounts were public.
The point of the article is that if you run a service that allows people to sign in with Twitter you may end up with thousands of people's OAuth credentials on your own server, including some people with potentially very influential accounts.
I wonder: if you had access to any Twitter account, what's the most damaging thing you could tweet? Are there any things that could put someone's life in mortal danger?
I think it was April when someone hacked the Associated Press account, tweeted that the White House just exploded and the Dow dropped a ton in a short amount of time. That's pretty scary.
How about a IP- and/or MAC adress as an extra layer of security? On a sidenote: If this makes App's that wishes to post on my behalf disappear I wouldn't mind.
You know your MAC address doesn't leave your local network and your IP will change as you roam between say WIFi and cellular data so I don't see that either would be all that useful.
Contrast with Facebook which has a much better implementation of finely grained permissions where you can opt to only ask for the permissions your application needed.
In the end, we switched to asking for read-only permissions for most users and let them upgrade to read-write the first time they wanted to perform a Twitter-write operation. This was a hassle from an engineering point of view but did completely eliminate complains about us asking for too much access: http://lanyrd.com/blog/2012/twitter-read-only/
We eventually moved to our own social graph, which eliminated the need to update Twitter's graph from our interface entirely.