Msg#: 4203065 posted 12:22 am on Sep 17, 2010 (gmt 0)
On the Twitter One Forty Developers Blog, some privacy concerns have been raised about API data access via 3rd party applications that use oAuth tokens.
Currently Twitter application developers are given 2 choices when registering their apps – they can either request "read-only access" or "read & write" access. For Twitter "read & write" means being able to do anything through the API on a user's behalf...
Twitter's overly-broad permission structure amplifies the concern around OAuth token security because of what those tokens allow apps to do...
People increasingly use DMs like short emails or IMs and assume it is a private channel between two people. In reality any app you have granted access can read all of your DMs.
This developer is very clear that they don't WANT the full rights to read your DMs, or to accidentally unfollow your friends - but the possibility is there. Sounds to me like Twitter needs to tighten up their permissions system a lot.
Msg#: 4203065 posted 4:21 am on Sep 17, 2010 (gmt 0)
I don't assume anything on Twitter is private, but sometimes it's easy to forget the more we use it as a communication medium. If people (or the tech press) become irked by this then I'll bet we'll see a quicker response from Twitter. They should take action before we get a malicious app that violates privacy on a larger scale.