May 24, 2007
There’s a hole in your Twitter
You know Twitter, yeah? And you know how people love it because they can stay in touch with their friends and communicate privately what they’re up to?
Well. If you use it like this and are happily twittering away about people you work with, or fancy, or both, or whatever, you probably ought to know that everything you think is protected (private) within Twitter actually isn’t.
Due to (I assume) some quirk of the API, things can be protected within the twitter.com realm, but available for the whole world to see via Twittervision, regardless of their privacy preferences. That means that someone who’s twittering privately at twitter.com/[username] is actually visible to everyone at twittervision.com/[username].
I’ve got examples, but for obvious reasons, I’m not going to share them here.
And if you thought that wasn’t bad enough, those twittervision userpages with archived messages on them are now showing up in search engine results.
That’s bad.
Twitter people: sort it out, please.
Update, 18.25
After Bobbie Johnson contacted Biz & chums about the problem it looks like the hole’s been plugged (for now).
However, since it was obviously open for a while, its legacy lingers in the form of google’s cache.
Side note: I’m still not sure why it only seems to have revealed *some* of my private posts to Twittervision. Weird.
Update, later still:
Alex from Twitter got in touch in the comments to share the official take on this issue: essentially, it’s not a problem with the Twitter API, but instead an issue with the way that Twittervision displayed the user data.
Now, I don’t have any memory of providing login info to Twittervision – in fact, I’m nearly 100% convinced that the first time I provided any details to the site was yesterday, trying to log in and figure out how to make my contributions private – but leaving that to one side, I have to say that, like Dan Hon, I was less than thrilled with Twittervision developer David Troy’s response to Bobbie, earlier in the day when the issue was pointed out. He said:
“For what it is worth, the number of people who participate in something like Twitter who also opt to keep updates private is a pretty small percentage, and you are the first person to bring this up to me,†he said. “If this were a widespread concern I would have heard about it from others by now.â€
Yeah? Well, just because something doesn’t affect a lot of people doesn’t mean it’s not something to take seriously – people care about privacy. Plus, if you’re affected by it, it is a big deal.
Holy crap.
Well, I’m fucked then.
*gulp*
[...] Meg points out an enormous, fat hole in Twitter which means your private stuff is available to anyone: You know Twitter, yeah? And you know how people love it because they can stay in touch with their friends and communicate privately what they’re up to?Well. If you use it like this and are happily twittering away about people you work with, or fancy, or both, or whatever, you probably ought to know that everything you think is protected (private) within Twitter actually isn’t. [...]
That is bad. So glad I don’t use it!
My original understanding was that Twittervision (which for anyone who doesn’t know, is entirely separate from, and unendorsed by Twitter) acquired its data by repeatedly scraping the RSS feed of the public timeline. Therefore if you didn’t make it to the public timeline, you were safe (but if you’d changed your privacy settings in the past, anything public would be archived until the End of Time.)
I get the impression some recent work they’ve done has accidentally broken things and no-one has noticed yet.
Whatever, its a huge cock-up by Obvious.
I note also that, whilst it doesn’t have the strain of handling all the tweets, Twittervision is now arguably looking considerably more sophisticated than Twitter itself..
I’ve just tried this – and it not only shows your messages – it shows your location and all of your contacts.
Disturbing!
[...] So Bobbie’s reporting that the hole in Twitter has been fixed, but there’s one particular quote in the piece attributed to Dave Troy, the developer of Twittervision: “For what it is worth, the number of people who participate in something like Twitter who also opt to keep updates private is a pretty small percentage, and you are the first person to bring this up to me,” he said. “If this were a widespread concern I would have heard about it from others by now.” [...]
I noticed this bug already a few weeks ago : http://twitterfacts.blogspot.com/2007/05/private-twitter-accounts-visible-in.html
Please check out the official word on this: http://twitter.com/blog/2007/05/twitter-api-respects-your-privacy.html
[...] Update: Fred did it again today – went and posted something relevant – Your Private Twitters Aren’t: If you’ve been Twittering privately for the past few months, I’ve got some bad news. As reported by Meish, the Twitter API does not enforce privacy ACL’s, meaning all of your private Twitters are available to the public. To check this out for yourself, visit http://twittervision.com/username, and you’ll be able to see private Twitter streams. [...]
Twitter’s official response isn’t exactly correct. I never provided Twittervision my credentials, but my information was leaked as well. Google cache now has my private Twitters.
http://chimprawk.blogspot.com/2007/05/your-private-twitters-arent.html
To summarise the response from both Twitter and Troy (I’ve updated the post on the Guardian Tech pages – http://blogs.guardian.co.uk/technology/archives/2007/05/24/glitch_leaves_private_twitter_users_exposed_to_the_world.html):
they say the problem revolved around the fact that when any of your contacts logged in to Twittervision, they unknowingly gave permission for the service to scrape your feeds regardless of whether you had set them to private or not. Not an API issue per se, but there’s clearly a problem with the way people have implemented the API – especially if, as Bruno points out, it’s also happening on other services.
Go check out http://www.mobifeedlive.com/ it lets you search all the past conversations on twitter in the last month or so. If it came across the public API it would be in there.
A glitch is a glitch. Anyone can make a mistake. But as long as the phone numbers weren’t made public and this hole wasn’t much noticed or abused, and it’s just a glitch, not a biggie. However, it could have been a lot worse…
SearchCap: The Day In Search, May 25, 2007…
Below is what happened in search today, as reported on Search Engine Land and from other places across the web:……
[...] http://meish.org/2007/05/24/theres-a-hole-in-your-twitter/ as I’ve said before: there *is* no indoor/outdoor voice anymore. Ignore this reality at your own peril. [...]
I would never assume that something like twitter is truly private. My mother or my boss might not be able to find it, but I assume that my company, a crafty PI, or the cops will be able to find it. It is just part of this age.