No really, I just did it. 99 of your closest friends, if you have that many, are gone. Go ahead and check…I can wait.
Well, not really, if you are logged in to your twitter account through your browser right now I could have. Ajaxian had an interesting article on everyone’s favorite microblogging site today. One of the biggest features of the site is the REST based API it provides. Whiles its dead simple to use, its also one of its biggest risks.
OK, now that I’ve scared you now here’s the fix…well, to be honest, there really isn’t one. Some have proposed OAuth as the answer. To me, its no different. I could trust one of the many twitter apps today and tomorrow the owner could get a wild hair and decide to start making money off of my trust. Twitter could add something like OAAM and OES, Oracle’s risk assessment engine and entitlements server to help with establishing application request patterns and ask the user to provide additional authentication factors when they trust a new site or the site starts behaving out of its norm.
Really the best thing you can do is install something like NoScript in Firefox and make sure you know what site’s you’re visiting, and log out of twitter when you’re done. Personally, I can live with the fact that someone might tweet for me or make changes to my account. Twitter should rethink the ability to update profile attributes through the API. I don’t think anyone would complain in return for the added security.
This is just the tip of the iceberg of things you can do without users knowing with XMLHttpRequest. Figuring out what sites people visiting a site have already visited. How scary would it be when your salesman calls and says he heard you visited the competitors product page recently and wanted to talk about how their product differs. Maybe I’m missing something, but I don’t see any easy way to solve the problem.
It’s a wild wild web2.0 world out there, be safe my friends. 😉