Twitter is working on a beta release of OAuth

Engineer/API Lead Alex Payne commented on the Twitter Development Talk group that the User Experience team is putting the finishing touches on a beta release of an OAuth implementation. This comment was made in November and mentioned a release toward the end of December. Since then, Payne has also said they (Twitter) will be experimenting with it after the first of the year.

The next full release of the API will be by OAuth authentication only

That only makes logical sense, right? After all, you have to eliminate all the weakest links to make a stronger chain. Also, using OAuth will decouple API rights from the general access rights used on the web. In turn, you’ll see more granularity of access control using OAuth, which is something BasicAuth sucks at.

Unintended Consequences of Better Security

For starters, OAuth is much more difficult for third-party developers to implement than BasicAuth is. It’s a new set of tools and technologies that most people aren’t really that familiar with. OAuth also entails bouncing around to the browser while authenticating, much like OpenID does. Once you allow your app once, you should be able to have it remember that and be fine on subsequent authentication attempts. However, it’s going to confuse a ton of people the first time. OAuth is not a security silver bullet, but is a step in the right direction. ( Payne’s words on OAuth )

Our Plea

Twitter: please don’t give up on this. We can’t stand to see it go the way of Track or IM. We desperately need to feel safe when using our credentials as recent events have given you a bit of a black eye. OAuth, OpenID, we don’t care - just make us feel warm and fuzzy inside.

This is another warning message to the rest of us. Even though you probably haven’t been compromised, you need to be watching your own stream for strange tweets. If you’re afraid you’re going to be a victim, change your password. If you see something in there that you didn’t put there, change your password. Here are some tips to creating a safe password.

If you see anything fishy, send a tip to tips [at] microblink [dot] com.

Update: Twitter’s Status blog claims they’ve found the cause and blocked it and are working to restore the compromised accounts.

Update 2: Twitter’s official statement says that 33 accounts were compromised. They’re also saying that it was a separate incident from the weekend’s phishing scam.

Finding the Easiest Way to Shrink Tweets

It’s possible you may go out to a web interface to shorten a long URL (though bookmarklets are fairly common these days), but stepping outside of the Twitter web interface or your favorite Twitter client to use an app that shortens a message to 140 characters just doesn’t seem likely. If it takes that long to do it, you might as well just edit the message yourself.

However, the TweetShrink developers were already thinking a step ahead by publishing a TweetShrink API that will allow any application to make system calls and perform the same function as the web interface. Since launching that API, TweetShrink has now been integrated in TweetDeck, one of the most popular desktop clients for Twitter, which makes shrinking long tweets very easy to do.

Though some of your tweets may end up looking like chatroom speak or a 14 year-old’s text message after shrinkage, the real goal is to prevent the user from having to edit tweets down to size. After all, tweets should flow easily from your fingertips and not require you to spend a lot of time finessing the wording. That’s part of why this stuff is called microblogging. It should be quick and painless.

You can find a real-time stream of shrunken tweets on the bottom of the TweetShrink website.

Have a Question About TweetShrink?

You can follow @tweetshrink on Twitter or hit up their Get Satisfaction page to fulfill any support questions you may have.

How It Works

When you hit the site, plug in your own username or the name of one of your friends. The app then does some calculations based on what you say and how you say it, then gives you a rating of how happy you are perceived to be by other users. If you want to tweak how you tweet so that you appear a bit more positive, Happy Tweets will store your ratings each time you come back and plans to show some sort of trending with these numbers over time.

Is It Safe?

Happy Tweets doesn’t ask for your password because it doesn’t need it to scan your past tweets. The information they use and store about you is all publically available data accessible through the Twitter API.

How Do I Share My Happyscore?

So now that you know what your Happyscore is, we know you’re dying to share it with your friends. Happy Tweets provides a retweet link that has the information prefilled for you that takes you to the Twitter web interface where you can preview and post the message. This is much less intrusive than giving up your username and password on the Happy Tweets site and having them post it automatically (as some sites have taken to doing lately).

The direct message will include the following text and link:

hey! check out this funny blog about you… jannawalitax.blogspot.com

As a measure of courtesy, you might want to inform the user who sent it to you that they’ve fallen victim. You can send them a reply or a direct message, whichever one you feel is more effective.

Protect Yourself

The link will take you to a site that looks very much like Twitter - but it is not. It’s a third-party site (twitter.access-logins.com) that just wants your password so it can spread further.

It’s important to note that you should really treat direct messages like you treat email. As always, we advise practicing caution when using your Twitter credentials. If it looks suspicious, it probably is.

Oops! I clicked on the link, now what?!

If you did log in at the phishing site, change your password immediately. Without a valid password, there’s nothing the phishers can do on your behalf. Unfortunately, there’s not much else you can do right now. If we hear about an official point of contact, we’ll list it here.

Twitter’s On It

Biz Stone tweeted earlier that the operations team at Twitter is working on the issue, so expect to see a resolution fairly quickly. There’s also a post on the issue on the Twitter Status blog. We just wanted everyone to be aware of the issue before it affects you. We, and many others, have sent out warnings through Twitter - please do your part and retweet or redistribute the link to this article.

Update: It looks like the phishers are also hitting Facebook, as pointed out by @jamescarr (via @hillabean). Beware of anything linking to access-logins.com. Rob also pointed out that Firefox is reporting anything at that domain as web forgery.

Update 2: Twitter has a great post on their blog about what phishing is and what you can do to avoid phishing scams.

Head over to twtpoll and enter your username, the question, and some possible responses. When you submit the form, you’ll be given direct links to tweet it or update your Facebook status (you just have to be logged in). There’s no handing over your password or anything else shady. The only thing that’s missing is the ability to add a response on the go in case a user feels the list of responses isn’t sufficient. If you need a quick way to create a poll - with some cool Flash effects in the results - give twtpoll a try.

Please take our poll regarding your ability to microblog at work (and then view the results).

Accounts to Follow

@felipecoimbra (developer), @twtpoll

Just Tweet It is a directory for Twitter users that sorts people into a bunch of different categories. To get listed on Just Tweet It, head over to whichever category you fall into and submit yourself. Submitting a user is just like adding a comment to WordPress - information you need to supply includes your name, an email address (for a Gravatar), your Twitter handle, and a short description of yourself. The site works only on user submission, so it’s up to users to make it more useful.

The coolest part of Just Tweet It is that you can subscribe to notifications for those categories. When a new user is added, you can be alerted by RSS feed or email. Eventually, categories will reach a critical mass that will make the current navigation impossible so I hope to see an auxiliary navigation structure coming. Just Tweet It also has a blog that outlines some of the new things going on, such as featured users and new services. You’ll also find a few handy Twitter-related tips in the mix.

A new service called Twply launched on Tuesday that aims to send all replies on Twitter to directly to your email inbox. All you need is your Twitter credentials and an email to send the notifications to and you’re set to go. At first blush, that’s a problem for users who get a lot of replies - their inboxes will be hammered with notifications. For people who don’t check Twitter very often, it’s a more viable alternative.

Since launch, there’s been a bit of controversy swirling around Twply. Here are the top three complaints…

1. Twply asks if you want to support it on your first login, but doesn’t mention how. As it turns out, it sends a message on your behalf that looks something similar to this:
2. There’s currently no way to opt out of notifications
3. The service has already been sold just days after launch for $1200, which makes users question the service as a whole

One thing Twply does is ask you for you password - something it shouldn’t need to do. If it wants to send a tweet on your behalf, it should say so and send you to the Twitter web interface so you can preview the message before it’s sent. Unless your updates are protected, there’s no reason your password is needed to find replies - it can all be done through Twitter Search.

So, if you do decide to use the service, be warned that the service you’re signing up for has controversy around it, much like Twitterank. @twply is assuring users that the service and your credentials are safe. As always, we recommend you exercise caution when giving out your Twitter password.

When you’re browsing in Safari, just bring up the bookmarks option and tap the bookmarklet. You’ll be redirected to the Tweetie app where you’ll select an account (if multiple are present). Once you’ve done that, you’ll be greeted with a pre-shortened URL (compliments of bit.ly). Fill in the rest and away you go. This is something I use quite often with BigTweet, so it’s nice to see there’s a simple way to do it with tools I already have.

Tweetie is available from the App Store for $2.99 [iTunes link]. View more iPhone/iPod apps here.

In doing so you have helped make this site successful and fuel us with the adrenaline to keep on blogging and exploring. Thank you for your readership, feedback, stumbles, trackbacks and retweets.

2008 has been an incredible year for us and microblogging and we are excited by how each has evolved. In 2009, we have a number of projects and posts planned. We will be stepping up our game and we look forward to continue to be your microblogging news source in a not so micro world.

Happy New Year and best wishes!