Twitter has implemented the OAuth login system, allowing for users to centrally control what sites have access to their Twitter accounts, without having to share their passwords with the third parties. This improvement means that there is less risk of the full account credentials being used nefariously, since the user has to log into the session and explicitly authorize the behavior.
But this doesn’t mean that individuals are completely safe from nefarious behavior at the hands of third-party application providers.
Take for example Twibbon. Twibbon is a service that allows you to place a badge on your Twitter icon. Many of my followers have used Twibbon to decorate with sports teams, frameworks they prefer, or other icons. I even used it to add a Clemson tiger paw to my icon for a bit. But Twibbon is evil.
But Twibbon does some pretty uncool things. First, as soon as you add the icon they post a tweet “on your behalf” announcing that you use Twibbon and suggesting that your followers should, too. They do not, of course, give the option to opt out of this behavior. That’s strike one.
Strike two was the discovery today that Twibbon also adds themselves to your follower list. That’s right – without asking, they automatically follow themselves with your account. This behavior is not well disclosed, either, nor can you opt out.
But for the third strike, they had to go one step further and do something completely nefarious and rude: they also take the liberty of marking their Twitter updates as updates that should be sent out via SMS. I discovered this trick when I was examining the list of people that I follow. I don’t have any updates sent to me via SMS, except for direct messages, because I don’t like using my text messages when I can just read tweets on my iPhone for free (using Tweetie).
Technically, Twibbon discloses most of this behavior. In little tiny letters, they tell you that they are going to tweet on your behalf and have you follow them. But the do not disclose that they will be signing you up for SMS updates.
Services like Twibbon provide value to Twitter, but they cannot be allowed to simply opt you into their marketing schemes on a whim. Not when they’re given read and write access to your account. OAuth helps keep nefarious behavior in check, but doesn’t prevent it altogether. Twitter needs to do more to ensure that services like Twibbon disclose and allow for the opt-out of these kinds of actions.
Frustrated with your company’s development practices?
You don't have to be!
No matter what the issues are, they can be fixed. You can begin to shed light on these issues with my handy checklist.
Plus, I'll help you with strategies to approach the issues at the organization level and "punch above your weight."