Modernizing Authentication — What It Takes to Transform Secure Access
Twitter is rolling out a pair of changes to the way users access the service through third-party applications, including one tweak that could spark some privacy concerns.
In an e-mail sent to members this week, Twitter explained that the changes are broadly meant to improve security on the site.
By the end of the year, Twitter plans to roll out its link-shortening service, t.co, across the site, meaning that every Web address shared on Twitter or its third-party applications will be wrapped in that format.
Twitter's own link shortener competes with similar services, such as tinyURL and bit.ly, but boasts a security advantage because it displays part of the original URL. Other shortening services obscure the destination Web address, a feature that scammers have taken advantage of to direct unsuspecting users to malicious sites.https://o1.qnsr.com/log/p.gif?;n=203;c=204634421;s=15939;x=7936;f=201702151714490;u=j;z=TIMESTAMP;a=20304455;e=i
But as part of the t.co roll-out, Twitter said it will begin logging every link that users click on its site and third-party applications, provoking a fusillade of tweets from users raising questions about the privacy implications of the new feature.
"Seriously @Twitter the link hijacking plan stinks of Facebook style privacy intrusions," user @cheezeball73 tweeted.
Twitter explained that the feature will improve its analytics capabilities, which will pave the way for more relevant content across the site.
The company is also billing its new linking policy as a boon to security, pledging to check each link that users click against a list of malicious sites.
"When you click on a wrapped link, your request will pass through the Twitter service to check if the destination site is known to contain malware, and we then will forward you on to the destination URL," the company said. "All of that should happen in an instant."
The company has also begun requiring all third-party applications to use the secure OAuth technology to verify users' credentials and access their Twitter accounts.
With the OAuth standard in place, third-party apps will no longer need to collect users' passwords to access their Twitter accounts. Indeed, Twitter said that apps will be barred from storing users' passwords.
As a result, the company warned that some applications may no longer work or require users to reauthorize them.
Follow eSecurityPlanet on Twitter: @eSecurityP.