Be Aware: Twitter API Uses Basic Authentication and a Twitter Toy

For those of you who have embraced the web movement that has become known as Twitter, be aware that the widely used Twitter API employs only web-based Basic Authentication. The credentials (login and password) are sent to the web API with only a simple HTTP POST and are unencrypted. I could not locate a means of even using HTTPS when sending tweets to the API.

The credentials are sent over the web in the standard form of “login:email”. They are base64 encoded first, so they are not exactly in plain sight, but base64 is far from cryptography and is beyond trivial to identify. Any attacker with a sniffer or sitting at a proxy in the stream can easily capture and decode those credentials.

The moral of the story is, if you use Twitter, make sure you use a password uniquely created for that service, since it will be trivial for an attacker to expose. Be aware that most, if not all, existing clients and twitter extensions use this same mechanism.

While twitter is proving to be a popular and useful mechanism for micro-blogging, it also comes with some inherent risks that include exposure of information that could lead to social engineering attacks and password exposure issues. Use twitter with some caution and all should be well, but without common security sense, twitter (like many other things) may be sharper than expected.

You can find a ton of information about the Twitter API here.

You can follow me on twitter here.

You can download the tool, twittercli, that I was writing when I saw this from the following locations (Not endorsed by MicroSolved, Inc. — Just a personal project!):

TwitterCLI will let you send tweets from a command line, schedule them with at/cron/iCal or call them from scripts, etc. Freeware from L. Brent Huston (NOT MSI!)

Windows

Linux

OS X

Thanks for reading!

3 thoughts on “Be Aware: Twitter API Uses Basic Authentication and a Twitter Toy

  1. Hi, I am running an application to collect to twitter, I changed pass and account so that I couldn’t collect to twitter as Basic Authentication.

    Can I resent Basic Authentication? Now Basic authentication has been disabled

    Thanks,

Leave a Reply