The application user in this case made a mistake, but it was made much worse by the app reading historical messages.

GroupTweet should have used the since_id parameter to only “read and rebroadcast” new messages. That would have limited exposure and it would have been figured out quickly if a mistake was made.

Making the UI more clear would probably help, but it’s a little bit like those “Are you sure? Are you really sure?” dialogs.

Being a regular reader of techcrunch i naturally followed them via twitter and this afternoon news broke on the techcrunch twitter account about an apparent security issue with twitter. See the screen shot below of my twitter timeline. The tweet pointe…

But I thought I was screwing up when DMing,
and had to post ’sorry’s’ in the stream as a result.

Then I quickly deleted the rest/more sensitive DMs.

*However, I don’t have a GroupTweet account!*

I’ve signed up for some other 3rd party apps, but not that one.

Ergo, problem is elsewhere [also?]….

But, whats the deal with mentioning her blog and website? What relevance does that have to the Twitter DM story anyway?

“Orli’s blog is here, and she also created the Web 2.0 Directory website.” Cool, eh.

This reminds me of Gov Eliot Spitzer’s escort’s music getting famous because of some other non-related event. Perhaps TechCrunch has more to do with the directory then meets the eye….considering it holds 50% of the advertising spots on the Web 2.0 Directory.

For those of you who don’t think Twitter is partly to blame in all this? why not? Surely one of the business rules they’ve got to lock in is that DM’s are private timeline events and shouldn’t be able to enter the public timeline - why do they have a function in their API that publishes DM’s? Let’s think about this for a sec.

* If you think the API is 100% open, you’re kidding yourself… you can’t edit messages, you can’t post to another users account (without their password), these are business rules Twitter has in place to keep sanity, I take it you don’t have a problem with those?

* Why not just allow the sending of DM’s via the API and not receiving (i.e. not exposing a private timeline to the API)? Instead of the API pushing out entire DM’s it could still give a notification ‘You have a new DM from @martyj’ etc. (which is what you’d receive in 3rd party apps such as Twhirl), Twitter would still forward the DM to you via email, it would still send it to your phone and in your private timeline (none of that uses 3rd parties)… where’s the downside? needing to check your email if you use Twhirl? is that such a big deal?

It would probably mean the end for apps such as GroupTweet, but surely the benefits of protecting user privacy and therefore the interests of Twitter itself (even if just from dumb user acts), needs to be something worth considering?

Posted some comments on my blog

Wait, people actually *are used* to give their credentials away to anyone, just like Robert Scoble did to Plaxo and got his account on Facebook cancelled… nevermind, people are stupid by default, I keep forgetting it.