15/10 2009

Beware the Twitter API

I found a bit of a glaring hole in the twitter API the other day. I have a protected Twitter account and all I wanted to do on the Webegg site was to show one Tweet (the latest one) on my site so that anyone visiting had an idea what I was talking about with friends and clients. The way I did it was to use a combination of the twitter API and Javascript.

The Twitter API can be used via the address bar to get hold of a json output of your account. This gives you the relevant information that you can break up and display on your page (I use jQuery to do this - well I did). The following javascript is part of what I used to use:

$.getScript("" + o.userName + ".json?callback=twitterCallback2&count=" + o.numTweets, function () {
  // remove preLoader from container element

  // show twitter list
  if (o.slideIn) {
  else {

  // give first list item a special class
  $("ul#twitter_update_list li:first").addClass("firstTweet");

  // give last list item a special class
  $("ul#twitter_update_list li:last").addClass("lastTweet");
  //$("ul#twitter_update_list li a").attr("rel","external");

  $('ul#twitter_update_list li a').click(function () {;
    return false;

To my surprise, whenever anyone visited my site where this script was getting the latest tweet, it automatically logged them into my twitter account, giving them access to all my settings.

It was only thanks to a local small company who hadn't realised exactly what had happened and send me a message, that I found out about this security loophole in the Twitter API. I was very lucky and now do it properly with php so it won't happen again. Hopefully this little word of wisdom will help any other developers fix this issue on their own sites.

Leave a Reply

Your email address will not be published. Required fields are marked *

This article is in the Twitter category. Here are some other related articles also in this category.