> Yesterday I noticed a javascript prompt on one Tumblr blog asking for
> Twitter username/password
> I thought it was some kind of new phishing scam, I even wanted to
> report it to Twitter.
> 
> Now I just saw the link sent from @twitterapi account and it also does
> the same thing - asking for username/password
> 
> http://api.twitter.com/1/users/lookup.xml?user_id=12863272,3191321,9160152,8285392,795649,15266205
> 
> What is this? Is this legit? I thought we have come a long way with
> oAuth so no app should even ask for user's Twitter username/password.
> If this is a legit javascript based API from Twitter, then it stinks

It's an authenticated API method. If you're not passing an authentication
header, OAuth or otherwise, of course it will ask; it's intended as a backend
method like any other API method, not a user-facing one. Also, here's what it
actually is, straight from the horse's^WRaffi's mouth:

zb2> <twitterapi> will document soon, but try 
http://api.twitter.com/1/users/lookup.xml?screen_name=jkalucki,noradio,mccv,raffi,rsarver,wilhelmbierbaum
 ^RK
zb3> <twitterapi> and the equivalent 
http://api.twitter.com/1/users/lookup.xml?user_id=12863272,3191321,9160152,8285392,795649,15266205
 ^RK
zb4> <twitterapi> and to go crazy 
http://api.twitter.com/1/users/lookup.xml?user_id=12863272,3191321,9160152,8285392&screen_name=rsarver,wilhelmbierbaum
 ^RK
zb5> <@twitterapi> @mchristian 20 at a time max- that's 1 API request. standard 
number of API calls an hour apply. in total 1000 total lookups an hour. ^RK

-- 
------------------------------------ personal: http://www.cameronkaiser.com/ --
  Cameron Kaiser * Floodgap Systems * www.floodgap.com * ckai...@floodgap.com
-- A straw vote only shows which way the hot air blows. -- O. Henry -----------

Reply via email to