Thu Jan 01 2009

On Twply and giving out your Twitter password (updated)

It’s 2009 and people are still, well, naive. Just read a post by Robert Scoble about how Twply - apparently a service that sends replies you get at Twitter to your email - is using usernames and passwords for its users to send twitter messages with the users’ account (and of course, keeping that data to do as they please in the future). There’s 3 parties to blame about this whole thing:

twply 1) The user: if you consider your twitter account account a part of your identity (like I do), you shouldn’t be giving out your password to anyone. Particularly a service that has no terms of use or privacy policy showing. These people could be hijacking your account tomorrow and you would be to blame because you gave them the means to.

2) Twitter: because they’ve been sitting on their OAuth implementation for over a year now. Essentially, it would give users a way to provide external services with temporary access to the account, without actually giving the entire account away. This would provide a safe way for services to communicate without the user actually being in jeopardy. Twitter folks, what the hell?

3) Twply: because they’re violating trust and being shady. Interestingly, someone asked them (over Twitter, no less) if the passwords people were giving were encrypted on Twply’s service to which they replied ” yes they are”. Well, they can’t be or they wouldn’t be sending them to twitter, would they? [1]

The subject of trusting web applications and services with your data is complex and tricky. But there’s definitely apps out there that make it really clear that they’re shady. Problem is, naive users (looking for the latest bling because they see pundits mention the service) will still be lured in.###Footer notes

[1]: To put it simply, let’s say you give TWply your password, and they encrypt it. If they do encrypt it properly there’s no way to reverse the process, which means they can’t authenticate as you with Twitter (because instead of sending Twitter your password, they would be sending the encrypted version of it, which would be invalid). It is 99.999% safe to assume that these people are lying, here.


And bam, they’re sold! Not only do they have your passwords, they’ve sold themselves (and your data) to someone else to do as they please (remember folks, there’s no terms of use or privacy policy, here). With the passwords for accounts like @techcrunch, I was betting on a bit more than $1.200, but you know, they made a quick buck. My best recommendation: if you did give these people your password, go change it .