Personally, I believe that this will be one of the features of web3.0*. The ability to have a single login, not having to log in anywhere and your profile will be recognized, etc. (OAuth, OpenID, etc). We could almost say browser-identifiable-security where one browser window (with as many tabs as you want) could be associated with a single account and all websites you visit would know about you and your information. The idea itself is very neat, but brings with it issues around user privacy.

Whilst this is a really cool concept from a developers point of view, I can easily see why anyone would be scared of the ability to retrieve your Twitter profile from within any webpages. I have found a few other services and web apps with public APIs that are also affected by that sort of bug –  if they consent to being named, I’ll do so here.

The type of vulnerability we’re talking about here is commonly known as a CSRF vulnerability . Twitter has some protection against this attack on the forms that are used to write to the profile settings, direct messages, etc. It’s rather trivial to protect from CSRF — some good methods out there include adding encrypted tokens as well as verifying cookies — but the fact that http://twitter.com/statuses/user_timeline.xml is accessible by anyone logged in to Twitter, it means that it will also be available to the websites they visit.

For instance, using jQuery,  a malicious website could run something as such as:

1
2
3
4
5
6

$(document).ready(function() {
$.getJSON("http://twitter.com/statuses/user_timeline.json, null, function(data) {
// Do something interesting with the user data you have just collected
// Maybe ajax request to your own server to insert the data?
});
});

Using this you could easily track anyone who comes to your website and also retrieve a list of their friends if you feel a bit more … creative.

Basically the process is as follows:

Twitter Attack Scheme Diagram

1. The user logs in Twitter
2. Twitter creates a cookie and logs the user in
3. The user (while still logged in to Twitter) visits a malicious website
4. The malicious website uses the weak-cookie and retrieves information about the user
5. The malicious website outputs the data as usual and says nothing to the user.

One of the main implications of this openness and lack of user communication is user privacy. Many people could potentially be exposed with their names/profiles available in the wild. This will affect their privacy in a way that websites they visit could become known to everyone (And do we know how bad this could be in terms of reputation… :P)

I can think of two possible solutions to this problem. First, ensure a stronger authentication system for retrieving any API methods and even reading user information — not allowing the main website cookie to be used with the API would be a start. It’s a bit radical, but it may be the only option. A second option might be that the user gets choice whether to make their profile cross session available or not.

I’m not sure what they’ll choose but today after a few rants and playing around, I realized that this issue will probably become mainstream with other apps in the months and years to come, but only if the user is informed and their privacy respected.

* Some ideas from this post will be in my talk on Web 3.0 at ossbarcamp

[Thanks to Turtle Kid and the awesome War Games ]

A few days ago we were granted commit access to the kick ass,  award winning Adobe AIR Twitter client Spaz.

We are delighted to be part of another open source project, and one that takes a new and innovative approach to web and desktop development.

The Spaz client is a cross-platform (available on AIR platforms) client that allows people to interact with Twitter in a whole new way. It’s great for both regular computer users in it’s ease of use, and heavy twitter users. For example you have different themes with Spaz but you can also override the CSS design to customise the app’s appearance.

The application supports markdown, it minimizes to system tray on windows, it has a URL shortening helper, retweet functionality, the ability to add favourites, the ability to delete messages, twitpic support, and much more.

You can of course go directly on Spaz’s website and read more about it and try it out