UPDATE 1: Ryo posted a follow up message on the Twitterank blog.
UPDATE 2: Ryo really was working to create a new type of ranking algorithm for Twitter users.
Earlier today I noticed several people posting messages on Twitter about their Twitterank, a new grading system developed by Ryo Chijiiwa (@ryochiji).
I was fairly busy throughout the day and didn’t stop by to check it out, but now I’m glad I didn’t. If you take a look at Twitter Search, you’ll notice a few peculiar terms trending this evening: Twitterank, Gullible Twitter and My Twitterank.
The first tweet I saw tipping me off that Twitterank was a “scam” was from Jeremy Bingaman (@iowaradioguy), linking to a TwitPic from Nate Ritter (@nateritter) of the source code behind the site.
The commented out message reads:
I am about to ask you for your Twitter user ID and password. You should be afraid. This is where you ask yourself, “Do I really want to find out my twitterank badly enough to give some random dude on teh interweb my account info?” And if that’s not what you’re asking yourself, shame on you.
Hi! Yes, the text you see above was there when Twitterank first launched, because giving away your user name and password to untrusted 3rd parties really is a bad idea. I took it out because it was verbose, and it didn’t seem to deter people.
Though Ryo doesn’t seem to be interested in the usernames and passwords of individuals’ Twitter accounts, he did prove a point, as Tom Chapin suggested earlier this afternoon:
All that being said, if you visited Twitterank today and checked your “score”, first stop and take a moment to change your Twitter password. Then, the next time a web app comes along asking for your login credentials for anything, find a way to verify the people behind it and whether or not they really need those details.
UPDATE 1: The site’s creator posted a follow up message on the Twitterank blog, answering a few questions:
Are you a phishing site? Are you going to steal my account? etc..etc..
No, I am not a phisher. I don’t even store your password. Your password gets used once to calculate your Twitterank, and is never stored on disk or any other permanent storage device. Having said that, people do need to be more careful about giving away their account information. I’m not evil, but the next guy might be.
Why do you need my password to begin with?
There’s some data I use (but not store) that I need to calculate your Twitterank. There are ways for Twitter to make that data available without requiring you to give out your password to 3rd party sites (Facebook, Yahoo! and others have such systems) but Twitter doesn’t yet offer those options to developers. As soon as Twitter adds more secure authentication mechanisms, I’ll switch to that.
Although it seems he actually was trying to create some sort of ranking system, it appears the larger objective was to poke holes in Twitter’s API and therein the security of its users.
He could have gone about making this point in a different way, but sometimes it takes events like this to get people to pay attention.
UPDATE 2: As you’ll notice below, Ryo chimed in and noted he really was working to create a new type of ranking algorithm for Twitter users. We also changed the title of our post to reflect this sentiment. However, with the way this site swept across Twitter and the somewhat ugly feelings people have about the way things went down, I’ll bet that Ryo may have a somewhat difficult time getting people on board to use his apps.
Rob is one of the founders of Microblink. His interests include how people are using microblogs and the community growing around them.
Mike writes and edits for Microblink day-in and day-out. He is known as the marketing guy and handles most of the microblogging accounts.
Mark writes development-oriented posts as well as news items. He's not afraid to dive headfirst into technical topics for the sake of the team.
Actually, my intent really was to experiment with an algorithm that quantifies Twitter users, and not to poke any holes. Yes, I think Twitter’s API offerings are flawed, but I didn’t do this to prove a point. In fact, I didn’t even think this many people would use it.
Anyway, just thought I’d chime in.
Ryo
p.s. Would you possibly consider changing the title of your post, seeing how the accusations of phishing are completely baseless and untrue?
I’ve made another update to the post and changed the title per Ryo’s request. If anyone has questions for the man behind the madness, feel free to chime in.
Read also Louis Gray:
http://www.louisgray.com/live/2008/11/twitterank-can-have-my-password-no.html
I’m glad Ryo chimed in here. I was not all that concerned with Twitterank, given I have seen similar behavior on other sites. The issue is with Twitter not supporting OAuth. I posted my thoughts on it this evening.
Twitterank Can Have My Password, No Questions Asked
http://www.louisgray.com/live/2008/11/twitterank-can-have-my-password-no.html
This exposes a glaring flaw in Twitter’s API security. Sites like FriendFeed, Pownce, and others require an API key to be used instead of the actual password. Some could argue that stealing the API key is just as good as stealing a password. Yet still, there are safer means to authentication - such as OAuth, like Ryo said in his FAQ.
Louis,
Just read your post and I think you make a very good point. Like you, I also believe that most people are inherently good and are not out to do harm, but I think it’s the comments Ryo made in the source code behind his site that really got people stirred up.
In most situations when trying out new sites, I plug in my Twitter credentials without hesitation. I don’t see any immediate reason to be worried. However, when the creator of the website is telling me to be worried and to be thinking about whether or not the next guy is trying to steal my data, then it gets me thinking. I probably would have been less concerned if Ryo had included a statement like what you shared from Twitter Karma, pointing out why they needed the data.
All things considered, I do think this is a great time for Twitter to step up and address the situation, implementing a secure way to interact with user data without requiring users to give up information like passwords.
Somewhat incoherent, but here goes…
I usually plug in my deets without hesitation, but it only takes getting burned once to make you hesitate the second time.
I remember seeing some of that commented code on the actual web page, so Ryo may have made some adjustments to what was displayed.
This does speak to the nature of Twitter users - they’re always eager to try something new. No wonder everyone likes building Twitter apps.
1st Tweets Chart… http://tweetip.us/lkvhi
Anyone who doesn’t change their tough password to a temporary easy one before doing something like this and back again immediately afterwards deserves anything they get.
Thanks for the post, Mike.
Good sleuthing here. I plugged in my username/pass without a second’s thought … I should be more careful!