> > > I am trying to integrate Twitter OAuth with my website. Right now > > > I can use this API > > > (https://twitter.com/account/verify_credentials.xml) to get lots > > > of profile information like user ID, screen name, but I didn't > > > any info about the user email address. Is there any API to get > > > email address? Thanks in advance. > > > > Is there any reason twitter doesn't support it? it is so weird.
Levity aside, even if the user grants you rights to do everything else possible with his or her Twitter account, that does not absolve Twitter of the right and the responsibility to maintain the privacy of the email address used on the account. There is also the next logical stop after getting an address via the API, which is changing it via the API. Why not allow that too? Well, maybe because it would make using OAuth as insecure as using basic with 3rd party services. Being able to change the email address on an account that offers password recovery services is the same as being able to change the password and lock out the original user. Identifying the email account used to register for a service is not only a Spam concern, but it is also a step towards being able to hi-jack the account. Instead of needing to crack one password to access the account, a hacker can choose one of two. Also, most email users don't control their own mail infrastructure, so passwords shared across acounts and the lack of implementation of secure protocols for services means that doubling the number of services exposed to attack more than doubles the chances of an attack being successful. I'm not saying that Twitter is a secure service, but that publishing the email address given by the user for the service - even to those who provide some credentials or level of trust for the account - presents an additional level of trust that cannot be safely implied from the initial delegation. Chris Babcock
