November 12, 2008

Twitterank Can Have My Password, No Questions Asked

Today Twitter was abuzz around the launch of a new site that ostensibly provides you with a numerical ranking, based on your followers, those you follow, and their collective clout. Twitterank, like Twitter Grader and others, is trying to deliver some kind of service to separate the influential from the less influential, as if we need more ways to do that. But the piece that has everyone stirring about their goals is the fact they ask for your Twitter user name and password. Today, I checked out Twitterank, just like so many others, and gained a numerical score that may have no value at all. In that process, I trusted the developer and the site with my Twitter login data, and frankly, that's of no issue to me in any way. As I said the other day, I believe people are inherently good, and if you're trying to harvest a host of passwords, Twitter wouldn't be the place to do it in secret by any means. So I have no concerns.

The whole concept of Twitterank is questionable. First, why would anybody care what their rank was? Second, what would a numerical score of 50 mean? What about 100 or 200? No idea.

Additionally, the service's default checkbox that sent the results of your Twitterank score to Twitter surprised many people, myself included. I was just checking out the service to see what the fuss was about, only to find people making comments on my Tweet, which had made its way to Facebook and FriendFeed as well. Sure enough, my Twitterank of 230.65 had been released in the wild.

So the service itself has some oddities, even if it was my fault I left the box checked. But in my opinion, that they ask for your login credentials isn't one of them. Many other third party services, from Twitter Karma to Social Too ask for your Twitter login and password. According to developers at those sites, the goal isn't to load up on user names and passwords, to start tweeting under your ID, but instead, they are forced to thanks to Twitter not having implemented OAuth. Twitter Karma writes:
"Unfortunately, until Twitter implements OAuth, applications that act on behalf of Twitter users, such as Twitter Karma, require your Twitter username and password to access your data."
But the concern around such a new service, which initially didn't have a name associated to it, had many wondering if its goals were nefarious. ZDNet called Twitter users gullible, and Mashable asked if the service was stealing your password.

The downsides of somebody hacking into my Twitter account and getting my credentials are low to begin with. In theory, if my account were compromised, they could Tweet on my behalf and make me look like a fool for some time, until I managed to get to Twitter support. In the meantime, you'd be sure to hear about it, and I assume others would be vocal in my favor. Another concern would be if you or I used the same login and password combination on other services. The perpetrator could then guess your ID on other services, or even access your financial records or anything else sensitive. But again, given the other Twitter developers' comments in regards to OAuth, I tend to believe this is something the coders are working around, and I don't think this is a mass account grab.

Late this afternoon, following the initial voiced concerns, the author rapidly put together a blog post answering some questions. See "Some follow up…" In that post, he, like Twitter Karma, points back to the microblogging service's limitations in terms of needing the user name and password combo.
"There are ways for Twitter to make that data available without requiring you to give out your password to 3rd party sites (Facebook, Yahoo! and others have such systems) but Twitter doesn’t yet offer those options to developers. As soon as Twitter adds more secure authentication mechanisms, I’ll switch to that."
As right as we are to be smart about where we put our login data, I don't think we should be so quick as to raise questions about what people's negative motives could be. For every 1 bad apple, there are easily 99 good, and the bad apples don't usually get away with nonsense for too long. As for those of you who really do want to tweet on my behalf, send me an e-mail, and just maybe I'll give you my password. Or not.