> I find this to be particularly concerning from a privacy point of > view. > > You can retrieve enough information about a user to even replicate > their home page. This could be particularly damaging from a phishing > point of view. Not only can I spoof the Twitter home page, I can now > spoof the home page of any user that visits it. Making it that much > more realistic. > > This is, however, one of the reasons I run with NoScript (FF > extension) when I'm browsing the web. > > While this information _is_ publicly accessible, I want to reiterate > that it is troubling how you can figure out which specific Twitter > user may be visiting your site.
Can we stop the paranoia please? To replicate any twitter user's homepage I need their user name and then I can use either curl (f.e. http://icant.co.uk/sandbox/twittercheck.php) or even an IFRAME, there is no need for JavaScript whatsoever. In the first case your noscript will not make a single difference. Security and privacy does not come by obfuscation but by making people aware of dangers. I am writing a presentation for Web Directions North about web app security at the moment and one of the main points is that people are the easiest attack vectors, not technology. If you really think the bad guys need an API for doing things like that then be very afraid. There's two needed for phishing: one who creates a fake interface and another who enters sensitive information. If you enter sensitive information into any form field - even on the legitimate twitter page - then you are making a very big mistake. Don't blame the hammer for sore thumbs.
