There has been much talk as of late on several high-profile blogs about a phishing scam and other security issues associated with Twitter and applications that access the Twitter API, such as Twellow. Here at Twellow we are not ignorant of the concerns many of our users have regarding this issue, so I’d like to explain how Twellow uses your sensitive Twitter information, specifically your password.

Twitter API Lead Developer Alex Payne has stated: “If you’re storing the password securely and only using HTTPS, I’d say you’re doing right by your users. In the absence of OAuth, that’s basically best practice. It’s also a pattern that’s been deemed adequate by companies like Amazon, who collect and store financial information from their customers.”

Alex states that passwords should be stored securely. Twellow does not store your Twitter password at all in our database. We only use it to send a simple HTTPS request (that means it’s a secure connection) to the Twitter servers to see if you are actually the owner of your Twitter screen name. This is the approved method for verifying Twitter credentials according to the documentation on Twitter’s API site. Upon verification of your Twitter account, the password is discarded by our system.

Twellow is not a site run by a fly-by-night outfit. We are operated by iEntry, the same folks that produce WebProNews.com and hundreds of other high-traffic websites. WebProNews and the iEntry network have a long history of respected business on the web and a reputation for integrity with our clients and users.

The very nature of social media means users want to find and be found by other people, and Twitter makes this possible in ways not seen before. Authentication schemes can only go so far in protecting your data, and even OAuth would not have prevented the recent security breaches at Twitter. It is ultimately up to you to choose which entities are worthy of your trust. Educate yourself to security risks versus the benefits of interacting in free society. Use that amazing mind which you are blessed with to study and think things out for yourself. I trust my writings here will assist in some small degree with your efforts.

Matthew Daines
Twellow Lead Developer

Update: Twellow now also uses your password to allow you to easily follow or unfollow people directly within our system. Again, your password is not stored in our database, and requests made to Twitter in your behalf are via secure channels.

This entry was posted on Tuesday, January 6th, 2009 at 12:11 pm and is filed under Frequently Asked Questions. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.