twitter lockAs we surf the internet phenomenon we often come across sites enticing us into their lair, offering us more content or the ability to interact with others. This inevitably requires you to remove the Harry Potter invisibility(!) cloak and identify yourself.

How many of us use Twitter as our login method? Have you stopped to consider what you are giving away?

Most blogs, and many other sites, love interaction/engagement/commenting -- call it what you will. Often we are given choices on how to login to the site. Facebook and Twitter IDs are commonly used (but others are available!)

You click on the sign-in button and opt for Twitter as your method of identification. You would have seen this box:

Disques permissions for Twitter

Have you actually taken a moment to read it? The permissions specifically. Are you comfortable with the application or website having permission to write tweets on your behalf; follow new people; post new direct messages?

From a developers point of view Twitter only provide three levels of security: Read; Read/Write; Read/Write with DM. As an example, if the site/app you are authorising needs the ability to tweet when you click a button they must request Read/Write permission. This does give them much more access to your Twitter account than they may need.

A quirk of the Read/Write permission allows Apps to send Direct Messages!!  They can't read your DMs but they can send.  You can see where the Twitter spam creeps in?!

The blame can not sit squarely at the developers door; Twitter have designed an ineffective security model. However, think very carefully before granting permission. Is the site reputable? Do you trust them?

For me personally, I never grant anyone access to my Direct Messages. Most sites do seem to default to the Read/Write Twitter permission, but if you are not keen for the site to be able to tweet on your behalf, or follow others, drop the website an email and ask why they need it. 

I feel it is a clumsy security model and there have been several occasions when I decided not to comment as I am not happy with the level of access I need to provide.

This model can lead to many abuses. While the vast majority of sites using Twitter authentication will be reliable, there will also be a small percentage who go too far. I'm sure we have all received a Direct Message (DM) from a Twitter friend that is spam, or read a tweet about new diet pills from them. Most of these indiscretions are generated by rogue sites we have granted permission to, maybe not recently, but perhaps months or years ago.

Take a moment to check who has access to your Twitter account by visiting Settings -> Apps in the web interface, or click... Revoke the permission of any websites or apps you are not familiar with. It will do no harm other than you need to re-authenticate if you use the site/app in the future.

There are two pieces of information Twitter never give developers access to: your email address and password.


For the record, I use the Disqus commenting engine here at theOnlyCog - as detailed in my Comments Policy. It is a third party App, used extensively around the web. I have no interaction with it and none of your information is shared with me. Disqus allows you to authenticate using Twitter and requests the Read/Write permission in order to be able to Tweet your comments (if you so wish). I trust Disqus, which is why I use it here, however it's your choice at the end of the day.

Incidentally, I also allow comments without using any authentication - click on the Name and tick the guest option. (I will require to moderate the comment before it appears!)

Part two of this article (coming soon) will cover the same techniques using your Facebook identity.

site by DAJ