Saturday, January 15, 2011

Twitter Direct Messages Are Not Encrypted.

By Cesar Ortiz
A protocol issue in Twitter can give website developers granted access to users' private direct messages text, messages that are exchanged between two people and not meant to be shared on Twitter or with anyone else. The Twitter API, the application that you install in other websites to connect with Tweeter, can let anyone [with access to website code] gain access to your direct messages text. In lay man’s terms it means that the access can be granted when a user logs into Twitter or a site (such as a blog) that uses Twitter and requires your Twitter user name and password. Professional developers usually can careless about what a user texts to another user; developers do not want this information. However, that being said, who does and who does not sees your direct messages text cannot be determined from the log-in screen. Twitter requires developers to use the “OAuth” command/protocol for users to login specifically to avoid the issue of being able to read and keep your password or user name. OAuth is a command /protocol that limits information given to the other side. Using Twitter as an example, the site simple yet powerful API created a rich community of applications built on top of its platform. But in order for those applications to update your status on Twitter, they must ask for your password. When you do so, without OAuth, not only you expose your password to someone else, you also give them full access to do as they wish. They can do anything they wanted – even change your password and lock you out. By requiring the command/protocol OAuth, Twitter prevents disclosure of your user id and your password to the developer. Although the transaction is completed fully, the developer will be able to see your text because it is not encrypted. OAuth protects the connection process, not the text. Developers process thousands of messages daily, developers are all very well known to Twitter. I am sure Twitter has the means to track ill behavior in a developer, but, If you need to send a sensitive private message to a Twitter user, try to find the user e-mail or SMS and use one of the many services that encrypt messages. In general, users either trusts an application/service with their information or doesn't -- it's the user choice.

No comments: