If a Twitter user has authenticated my app, is it possible for me to
view their email address?

>From what I can tell through the O'Reilly book and Google searches,
the answer is currently "no" due to, I'm assuming, security
concerns...  But I can think of several reasons why the user may want
to allow me to have this information. For example, they could use my
app to set up email alerts for themselves that would be triggered by
various events, or use it to send them compiled reports, etc. Being
able to read their email address could be very useful, and I would
love to have it as a feature in the API.

Yes, I could also use it to send them spam, but that's why they should
block my app if they don't trust me. People put their email address
into forms all over the Internet all the time, probably hundreds of
times per year, so it seems silly for me not to be able to read it
even with the user's permission.

One feature that should _definitely_ be removed, however, is the
ability to _change_ the user's email addresss. For instance, if a
person authorizes my app and I do this:

$to->OAuthRequest('https://twitter.com/account/update_profile.xml',
array('email' => 'iame...@hotmail.com'), 'POST');

then all I have to do is fill out the Forgotten Password form, check
the confirmation code that gets sent to _my_ hotmail address, and then
suddenly I've got full control over the poor user's account and the
ability to spam all of their followers. Watch out, Ashton!

I can't believe that the Twitter API permits this, but doesn't allow
me to do something simple and useful like emailing the person a list
of their followers. Am I missing something?

Dave.

Reply via email to