On Jan 7, 7:30 am, Alex Payne a...@twitter.com wrote:
I intend to address this shortly. It's not the API's intended behavior.
cool. Despite my concerns here, thanks a lot for this whole exchange,
Damon and Chad! This is once again proof that the browser security
model is simply broken and we
I find this to be particularly concerning from a privacy point of
view.
You can retrieve enough information about a user to even replicate
their home page. This could be particularly damaging from a phishing
point of view. Not only can I spoof the Twitter home page, I can now
spoof the
On Tue, Jan 6, 2009 at 4:35 AM, Chris Heilmann chris.heilm...@gmail.com wrote:
It is more troubling if people don't log out at the end of a session.
Paranoia is never a good thing. If you leave things logged in, you are
vulnerable.
Are you suggesting that I continually sign in/out of my
On Tue, Jan 6, 2009 at 6:49 PM, Chad Etzel jazzyc...@gmail.com wrote:
I could send a tweet from some account that says @user hello! thanks
for dropping by mysite.com! Hope you enjoyed it! How many people
*wouldn't* be freaked out by that? (In fact, I should try that and see
what kind of
On Jan 6, 12:20 am, Chris Heilmann chris.heilm...@gmail.com wrote:
I find this to be particularly concerning from a privacy point of
view.
You can retrieve enough information about a user to even replicate
their home page. This could be particularly damaging from a phishing
point of
Well and generously spoken, Damon.
I coded up a proof-of-concept site for this leak today. It works so
well it's scary. I am now quite hesitant to release the address
publicly because of the backlash I might receive for deceiving people
by sending them there. I may be willing to share it with
Chad,
I would very much like to see your proof of concept.
Dale
On Jan 6, 2009, at 11:15 PM, Chad Etzel wrote:
Well and generously spoken, Damon.
I coded up a proof-of-concept site for this leak today. It works so
well it's scary. I am now quite hesitant to release the address
publicly
I intend to address this shortly. It's not the API's intended behavior.
On Tue, Jan 6, 2009 at 21:15, Chad Etzel jazzyc...@gmail.com wrote:
Well and generously spoken, Damon.
I coded up a proof-of-concept site for this leak today. It works so
well it's scary. I am now quite hesitant to
Actually, I see this functionality as a potential security/privacy
hole. I can imagine at least a couple of nefarious things websites
can do by being able to detect the presence of a twitter user on their
site... I remember bringing up a very similar issue with Alex earlier
last year which was
We did an experiment with a partner of ours around this. It's not
currently an officially-supported API method, but check out
/sessions/present.json. It should support a callback and returns a
boolean.
On Mon, Jan 5, 2009 at 07:49, Chris Heilmann chris.heilm...@gmail.com wrote:
I've just
Well, yes, but then it is a trivial step to get which user.
My question, though, is whether or not this sort of behavior is
intentional, for 3rd party sites to be able to discover the identity
of twitter users on their sites? Personally, I find this to be more
worrisome than the current
On Mon, Jan 5, 2009 at 9:08 PM, Chad Etzel jazzyc...@gmail.com wrote:
My question, though, is whether or not this sort of behavior is
intentional, for 3rd party sites to be able to discover the identity
of twitter users on their sites? Personally, I find this to be more
worrisome than the
12 matches
Mail list logo