KaKoo

Twitter has responded to concerns from a developer about the actual authorization level that third-party Twitter apps have over user data.

On Friday, a Dutch developer publicized what he saw as an authorization access hole in Twitter’s API. Developers that create an app using Twitter’s OAuth authentication process that does not request access to the direct messages from users, could still access those direct messages anyway.

As we continued to research the story and speak with developers about the issue, it became clear to us that it isn’t so much that there is a hole in the authentication or access process, but that the screen that users see when granting apps access wasn’t accurate.

In a statement, Twitter tells us:

As we announced in May, Twitter is transitioning our authentication model to give users more control over the information they share with third-party applications. We recently extended this transition until the end of June to give developers more time to reconfigure their applications to fit the new model. We are updating the text in the current permissions screens to clarify what information applications will or will not have access to during the transition period.

For a summary of the third party applications you’ve approved or to make changes to this list, visit the “Applications” page in your Twitter account.

Until Twitter announced more granular changes to account access, all third-party apps could access your direct messages. That will change as of June 30, 2011 — however, until then, all apps will have access to DMs, even if the app creator says they don’t need that access right now.

The disconnect is with the app authorization screen and the actual access the app possesses. In about two weeks, apps that aren’t supposed to have access to your direct messages won’t.

The problem, in this case, was not one of security, but of perception. Twitter’s new app authorization screen will hopefully align those perceptions accurately.

For users, all this means is that until June 30, expect every app to have access to your direct messages — same as always. As of June 30, 2011, apps can request more basic information.

Special thanks to Kevin Marks for helping me understand this situation.

More About: OAuth, twitter

For more Social Media coverage:

• Follow Mashable Social Media on Twitter
• Become a Fan on Facebook
• Subscribe to the Social Media channel
• Download our free apps for Android, Mac, iPhone and iPad

A flaw in Twitter’s OAuth procedure could mean that direct messages are accessible by third-party apps without user authorization.

UPDATE: Twitter has responded to our inquiry with a statement. Twitter is fixing the error, though it turns out to have been more of a short-term foresight than a hole.

Dutch developer Simon Colijn (@simoncolijn) contacted Mashable with some disturbing information about the actual access level third-party Twitter applications might have to users’ information, including direct messages.

Unless explicitly requested and granted, third-party apps aren’t supposed to be able to do things like post tweets or access direct messages. What Colijn has found, however, is that direct message — both to messages sent and to messages received — can be accessible to those third party apps.

Colijn whipped up a third-party app to show the vulnerability in action and we tested it with a newly created Twitter account. Sure enough, Colijn’s app was able to show us direct messages we sent to other users and that we had received. Scary stuff.

TechCrunch has done some additional research and hypothesizes that this authorization leak might be the result of some planned changes regarding the ways that Twitter devs can request access to account information and what information users can give those apps.

We’re still trying to understand the technical issues surrounding the API and and OAuth, but that theory appears to be true. In this case, what happened is that Twitter has pushed back its DM enforcement date — a date that will shut off DM access from all apps that don’t need it — but the company hasn’t pushed back the rollout of its authorization screens. So what users see isn’t exactly what they get.

TechCrunch also points out that developer Mike Robinson has created his own test app that re-creates the same authorization hole.

We’ve reached out to Twitter comment and clarification and will continue to research and investigate this story. In the mean time, the most cautious users might not want to grant third-part apps access to their Twitter account unless they feel comfortable with the app having access to their direct messages.

More About: OAuth, privacy, security, twitter

For more Social Media coverage:

• Follow Mashable Social Media on Twitter
• Become a Fan on Facebook
• Subscribe to the Social Media channel
• Download our free apps for Android, Mac, iPhone and iPad

As part of our quest to make Mashable a more social experience, we’ve quietly rolled out some new sharing options over the past few weeks.

Our readers are connecting on a variety of platforms across the Web. Whether you create a profile for every site or like to stick to a couple of favorites, we want you to be able to share Mashable stories in whichever way works best for you.

Here’s a look at how we’ve integrated new sharing options for LinkedIn, Facebook and Tumblr.

---

LinkedIn From Follow’s M Share

---

As LinkedIn takes off as a way to share news, we’re excited to further integrate it into Mashable Follow, our social sharing and content curation platform. You’ve been able to add LinkedIn to your Follow profile from day one, but now you can also share a post to LinkedIn directly from the M Share button.

Earlier this year, LinkedIn relaunched its developer platform complete with an open set of APIs and an eye on usability for developers. Specifically, LinkedIn’s adoption of OAuth made it possible to do this integration. “We are able to authenticate users using our existing OAuth support framework,” says Chris Heald, Follow’s lead developer. “Once users are authenticated, we can use their authorization tokens to make calls to the LinkedIn API to easily conduct the shares.”

Adding third-party functions to a site can sometimes affect load times — so we’ve made several performance optimizations to ensure that these new sharing tools won’t slow you down.

---

Facebook Send

---

We’ve also integrated the new Facebook Send button into article pages across the site. It has a similar look and feel to the “Like” button, but functions more like email. The idea is to make sharing Mashable stories with a small group of friends easier.

The Send button appears next to the Like button, which is above the article and below the byline on Mashable story pages. Click on Send and a pop-up appears, allowing you to send that article to Facebook friends and Groups — or to any email address. You can then add a message and send the page to friends’ inboxes or post it to a Group wall.

---

Tumblr Button

---

You’ll also notice the new Tumblr share button as a sharing option on all Mashable stories. We can attest to how easy this is. As this post shows, we’ve been using the button ourselves to post to our Mashable HQ Tumblr.

Because Tumblr’s API doesn’t provide share data, this can’t be integrated into Follow, so you’ll have to be signed out of our service to use this function. However, we can hope that Tumblr will see how popular this is and make the same kind of revision to their platform that LinkedIn did.

What’s your favorite network to share Mashable articles on? Will you take advantage of our new sharing options? Let us know in the comments. Happy sharing!

More About: api, facebook send, follow, LinkedIn Developer PLatform, mashable follow, OAuth, sharing, tumblr, tumblr button

For more Social Media coverage:

• Follow Mashable Social Media on Twitter
• Become a Fan on Facebook
• Subscribe to the Social Media channel
• Download our free apps for Android, Mac, iPhone and iPad

Twitter has announced that it is postponing a complete switch to OAuth, dubbed the “OAuthcalypse”, by a month and a half due to the severe load and downtime being caused by the World Cup.

Currently, there are two ways to connect to Twitter apps: basic authentication (where you provide your username and password) and OAuth, which lets users hand out “tokens” for access to applications instead of sensitive account data. Twitter intended to cut off use of basic authentication on June 30th — 12 and a half days away — and even launched a countdown clock for the occasion so that application developers were prepared.

Since then, Twitter’s stability has been compromised due to critical mistakes setting up and maintaining the service’s internal network. It has resulted in constant downtime and fail whales.

With so much happening, Twitter has decided to push back Oauthcalypse to August 16th, a full month after the World CupWorld Cup ends. Here’s exactly what’s going to happen, according to Twitter’s Raffi Krikorian:

“just to review what we’re going to be doing: starting on august 16 we’ll be ramping down the rate limits on basic auth roughly by 10 calls/hour/day ending on august 31st. on the 31st, you won’t be allowed to make any other basic auth calls. in other words, if you don’t do anything, you’ll get more and more frequent rate limit errors as you approach august 31st. starting on august 31st, any basic auth request will get a HTTP 403 response back.”

Summary: Starting on August 16th, Twitter will begin to limit the use of basic authentication until the 31st, when the switch to OAuth will be complete.

Given the circumstances, delaying the OAuthcalypse is the right move for the company, but one has to wonder what other features and projects are being pushed back due to the massive failure of Twitter’s internal network. This month is turning out to be Twitter Hell.

---

For more social media coverage, follow Mashable Social Media on TwitterTwitter or become a fan on FacebookFacebook

---