I find this to be particularly concerning from a privacy point of view. You can retrieve enough information about a user to even replicate their home page. This could be particularly damaging from a phishing point of view. Not only can I spoof the Twitter home page, I can now spoof the home page of any user that visits it. Making it that much more realistic.
This is, however, one of the reasons I run with NoScript (FF extension) when I'm browsing the web. While this information _is_ publicly accessible, I want to reiterate that it is troubling how you can figure out which specific Twitter user may be visiting your site. On Jan 5, 11:19 am, "Chad Etzel" <jazzyc...@gmail.com> wrote: > On the contrary, you certainly *can* detect WHICH user is logged in. > Seehttp://icant.co.uk/sandbox/twitter-hi-demo.htmlif you are logged > into the twitter website. Now imagine the site making another AJAX > call to store the user info into a database somewhere.... goodbye > anonymous surfing.... > > -Chad > > On Mon, Jan 5, 2009 at 2:17 PM, Alex Payne <a...@twitter.com> wrote: > > > You can't find out WHICH user is logged in, just that *a* user is > > logged in. We feel that minimizes the privacy risks. > > > On Mon, Jan 5, 2009 at 11:16, Peter Denton <petermden...@gmail.com> wrote: > >> so I can detect if a user is logged into twitter through > >> /sessions/present.json? > > >> What would be the full URL for checking a username against it? > > >> ex:http://twitter.com/al3x/sessions/present.json > > >> On Mon, Jan 5, 2009 at 11:09 AM, Alex Payne <a...@twitter.com> wrote: > > >>> We did an experiment with a partner of ours around this. It's not > >>> currently an officially-supported API method, but check out > >>> /sessions/present.json. It should support acallbackand returns a > >>> boolean. > > >>> On Mon, Jan 5, 2009 at 07:49, Chris Heilmann <chris.heilm...@gmail.com> > >>> wrote: > > >>> > I've just played around with the user timeline to show data when the > >>> > user is logged in (http://www.wait-till-i.com/2009/01/05/detecting-and- > >>> > displaying-the-information-of-a-logged-in-twitter-user/, specifically > >>> >http://icant.co.uk/sandbox/twitter-hi-demo.html). > > >>> > This is pretty cool, and kudos to your security that when the user is > >>> > not authenticated I get a popup to authenticate. > > >>> > However, this is the problem of the script. Is there an idea of > >>> > allowing a "twitter status" API call that only would allow me to see > >>> > if the current user is authenticated? It would be useful to build for > >>> > example WordPress add-ons that only give twitter functionality when we > >>> > know the user is authenticated. > > >>> > A boolean would do, really. Or turning off the automatic login request > >>> > on thejsonandcallbackoutput and instead throw back an error. > > >>> > If I curl the user timeline I get this error, but not when I use the > >>> >JSONcallback. > > >>> > cheers > >>> > chris > > >>> -- > >>> Alex Payne - API Lead, Twitter, Inc. > >>>http://twitter.com/al3x > > > -- > > Alex Payne - API Lead, Twitter, Inc. > >http://twitter.com/al3x > >
