Yes, being careless, but interesting how your "api key" can also unlock certain doors.
On Fri, Jan 30, 2009 at 2:58 PM, Chad Etzel <[email protected]> wrote: > > Mmmm yes, that is an interesting scenario. Since you are fetching the > tweets by authenticating with your @twibs account, I am assuming you > are doing this server side and then echo'ing the tweets to the > webpage. In that case you can check the "is_proctect" attribute (or > whatever it's called) and demux off of that. You probably already > figured that out, but I'm just adding to the discussion. > -Chad > > On Fri, Jan 30, 2009 at 5:24 PM, Peter Denton <[email protected]> > wrote: > > Hey everyone, > > Everyone may know this already and I may have not been diligent enough, > but > > this scenario came up today and the person who brought it to my attention > > said they see it a lot in many apps. > > > > Basically, > > > > I have an app http://www.twibs.com (a directory of businesses on > twitter) > > and am making "statuses/user_timeline/$nameofentity" calls for visitors > to > > see recent tweets of the business entity. > > A business user contacted me today and said their protected updates were > > showing up on twibs > > This is because the user is following my application alias "@twibs" and I > > WAS using my twibs credentials to authenticate with the api > > thus when I make the api call, the users protected updates are open to > and > > were thus shown publically on my site > > > > So, if your application does something like mine, you may want to make > sure > > you are using credential from another account so this scenario does not > > unfold. I am sure most of you studs (Jazzy Chad & Gang) already see > this, > > but I didn't. > > > > Peter > > > > > > > > > > >
