I intend to address this shortly. It's not the API's intended behavior. On Tue, Jan 6, 2009 at 21:15, Chad Etzel <[email protected]> wrote: > > Well and generously spoken, Damon. > > I coded up a proof-of-concept site for this leak today. It works so > well it's scary. I am now quite hesitant to release the address > publicly because of the backlash I might receive for deceiving people > by sending them there. I may be willing to share it with this list, > though. > > I hope Damon and I (and others!) will continue to be squeaky wheels > until something changes about this. > > -Chad > > On Tue, Jan 6, 2009 at 11:40 PM, Damon C <[email protected]> wrote: >> >> >> >> On Jan 6, 1:35 am, Chris Heilmann <[email protected]> wrote: >>> > I find this to be particularly concerning from a privacy point of >>> > view. >>> >>> > You can retrieve enough information about a user to even replicate >>> > their home page. This could be particularly damaging from a phishing >>> > point of view. Not only can I spoof the Twitter home page, I can now >>> > spoof the home page of any user that visits it. Making it that much >>> > more realistic. >>> >>> And how is that news? I can always redirect you to twitter.com/home >>> and inject a script that sends your data somewhere else. Just use an >>> iframe and clickjacking. The point is not to stop legitimate uses of >>> data but to educate end users that it is just very stupid to enter >>> sensitive data in any form field - even the official ones - without >>> any encryption. For phishing purposes this is pretty pointless as you >>> need to be logged in to get to that data. Being asked to log in again >>> when you are obviously logged in succeeding as a phishing scam is a >>> problem with people, not technology. This is what it boils down to: >>> we've been so far removed from the people we try to protect with our >>> security language that we don't reach where it matters. >>> >>> > This is, however, one of the reasons I run with NoScript (FF >>> > extension) when I'm browsing the web. >>> >>> It is a good start but it doesn't protect you from redirection tricks >>> or iframe tricks. >>> >>> > While this information _is_ publicly accessible, I want to reiterate >>> > that it is troubling how you can figure out which specific Twitter >>> > user may be visiting your site. >>> >>> It is more troubling if people don't log out at the end of a session. >>> Paranoia is never a good thing. If you leave things logged in, you are >>> vulnerable. >> >> p.s. Nearly every web application has a "Remember Me" button. People >> love convenience. But in our multi-tabbed world, people simply aren't >> going to sign out of Twitter/Gmail every time they open a new tab in >> Firefox or click on a link. I as a security professional might do >> that, but it's unreasonable to assume the general public will. This is >> an unfortunately side-effect of how browsers and usage patterns have >> evolved over time. >
-- Alex Payne - API Lead, Twitter, Inc. http://twitter.com/al3x
