Twitter-specific. OAuth is a great standard but doesn't really provide standardized methods of extracting user information from an OAuth connected API. With Twitter you can call verify_credentials to get all of the information, so you can actually use OAuth both as an API access mechanism as well as a user recognition mechanism. Hope that explains a little bit.
However, am I wrong to think that this is still a terrible phishing accident waiting to happen?
I guess the worst that can happen, at this point, is that someone phishes your Twitter password. Assuming that nobody is crazy enough to use Twitterauth for logging into email or (god help us) a bank account, all one can do with someone's Twitter password is log in to Twitter and other Twitter applications.
But, wait... doesn't Tipjoy let a thief empty my bank account by Tweeting money to other people?
[Scramble to read the Tipjoy FAQ.]
Ah, the black hat can only give away the amount that is in my Tipjoy account, which has to be funded via (e.g.) Paypal. But can the thief log into Tipjoy using my Twitter credentials and then initiate a transfer to Tipjoy from Paypal or my bank, via stored credentials on Tipjoy? I have no idea.
But perhaps you're only allowed to send out a tiny amount at a time. Or there are steps to take to roll back the transactions in case of fraud (credit card chargebacks, if nothing else) -- perhaps this is a problem for my credit card company, Paypal, and/or Tipjoy, but not for me. And presumably I and/or my followers might notice fraud fairly quickly, since outgoing Tweets are much more visible than (say) outgoing email.
(Perhaps the next business opportunity is a service that monitors your Twitter feed for suspicious-looking activity that might not be your doing... ;)
Does Twitter have an appeal process for removing forged Tweets from one's account?
This Rails template uses Twitter OAuth, meaning you don't give away your username and password for Twitter. If an application "goes rogue" and starts posting unsolicited tweets or doing other nefarious practices, you can simply revoke access to the application from your Twitter account's "Connections" tab.
Twitter has a "Delete" option for Tweets so you could just manually remove any forged tweets. Of course you should still always be careful what services you associate with your Twitter account.
Tipjoy is filled up via PayPal, but not tied to your account. You can't pull more money than you already put in there.
Tipjoy could be compromised by phishing of either your Twitter or your Tipjoy password. This is equivalent to PayPal.
We allow a 3rd party to create a link to sign in a Tipjoy user, which requires a Twitter username & password, and eventually will work with OAuth:
http://tipjoy.com/api/#create_login_link
Related note: is there a "Twitter Helper" somewhere, ie a code snippet that renders a Twitter status message (with links the author ,@references and URLs)? Needing one right now.
Looking closer, it also ignores URLs with a fragment after a #. Looking closer still, adding these (@ and #) to the regex would open a whole new can of worms, since the parsing statements below would attempt to convert these to URLs as well. As it stand now, it would probably mess up URLs with those characters in them, since they would be parsed as usernames or hashtags.
Hence the dangers of grabbing stuff off the Internet, as I did! If I have time to fix this later I'll post an update.
16 comments
[ 3.1 ms ] story [ 44.8 ms ] threadHowever, am I wrong to think that this is still a terrible phishing accident waiting to happen?
I guess the worst that can happen, at this point, is that someone phishes your Twitter password. Assuming that nobody is crazy enough to use Twitterauth for logging into email or (god help us) a bank account, all one can do with someone's Twitter password is log in to Twitter and other Twitter applications.
But, wait... doesn't Tipjoy let a thief empty my bank account by Tweeting money to other people?
[Scramble to read the Tipjoy FAQ.]
Ah, the black hat can only give away the amount that is in my Tipjoy account, which has to be funded via (e.g.) Paypal. But can the thief log into Tipjoy using my Twitter credentials and then initiate a transfer to Tipjoy from Paypal or my bank, via stored credentials on Tipjoy? I have no idea.
But perhaps you're only allowed to send out a tiny amount at a time. Or there are steps to take to roll back the transactions in case of fraud (credit card chargebacks, if nothing else) -- perhaps this is a problem for my credit card company, Paypal, and/or Tipjoy, but not for me. And presumably I and/or my followers might notice fraud fairly quickly, since outgoing Tweets are much more visible than (say) outgoing email.
(Perhaps the next business opportunity is a service that monitors your Twitter feed for suspicious-looking activity that might not be your doing... ;)
Does Twitter have an appeal process for removing forged Tweets from one's account?
Twitter has a "Delete" option for Tweets so you could just manually remove any forged tweets. Of course you should still always be careful what services you associate with your Twitter account.
Tipjoy could be compromised by phishing of either your Twitter or your Tipjoy password. This is equivalent to PayPal.
We allow a 3rd party to create a link to sign in a Tipjoy user, which requires a Twitter username & password, and eventually will work with OAuth: http://tipjoy.com/api/#create_login_link
This isn't a big deal considering you can just tweet a payment with those same credentials. http://tipjoy.com/api/#creating_twitter_payment
We'll eventually become an OAuth provider, instead of using Twitter credentials.
Looking closer, it also ignores URLs with a fragment after a #. Looking closer still, adding these (@ and #) to the regex would open a whole new can of worms, since the parsing statements below would attempt to convert these to URLs as well. As it stand now, it would probably mess up URLs with those characters in them, since they would be parsed as usernames or hashtags.
Hence the dangers of grabbing stuff off the Internet, as I did! If I have time to fix this later I'll post an update.
Why didnt they just define urls by a simple FSM / regex in an RFP ?
Hey, I complain about the internet..but I do appreciate RFCs... Sweet lord, have a look at the UML / MOF spec - its hilariously vague and amorphic.