Thursday, September 25, 2008

twitbin and your twitter password

I just tried to install the twitbin firefox plugin. Well ... very nice interface!!!

BUT it seems like twitbin first sends my username and password to http://www.twitbin.com. Firefox will prompt you asking whether to remember the password for this site :P

I believe this is should NOT be done :(

A user should NEVER have to give his/her credentials of a certain web application to a 3rd party web application. How can I be 100% sure that those who developed the 3rd party web application wrote perfect code that never leaks my user name/password of my other web application?

Interestingly the twitbin.com privacy policy is very simple and short :


Our privacy policy is simple: we don’t store any personal data about you. We
do track the total minutes spent with twitbin open, and the number of users
who use it. We don’t have any way of seeing what you say, or who you say it
to. User sessions are authenticated through twitter, so your data passes to
them, not us.

You use twitbin at your own risk, we’ve tested it, it hasn’t crashed our
computers, but we just built this in a week. If you see a bug, let us know.

SOURCE: http://twitbin.com/blog/privacy/


Well ... why does firefox ask my permission whether it is OK to REMEMBER the password (and when done so there is an entry against http://twitbin.com) when I try to to login to twitter with my plugin? So is the statement "User sessions are authenticated through twitter... "still true? I haven't really gone through the messages that are exchanged between twitbin.com and the browser... but the fact that the browser remembers the twitter user name/password against http://www.twitbin.com is more than enough evidence for me! (Or is this a firefox bug? :-) )

This sucks! ... so people ... please be careful when you use these sort of applications!!!

4 comments:

Chintana Wilamuna said...

I'm guessing that twitbin uses default Firefox 'remember my password' feature to store the password. You might have seen this when you allow FF to remember password for particular site, say, your gmail account. Auto fills the form. So, isn't it that twitbin is using this to automatically login to twitter?

Ruchith said...

Thanks Chinthana ... your point can be true ... I haven't looked at the messages exchanged !!! ... I was thinking remember password is invoked only by firefox on a http post. :-)

Lahiru Sandakith said...

wow, thanks for the info.. I have been using TwitterFox for some time not twitbin.. And seems there is no trouble with that ..

Ruchith said...

But I'm still uncomfortable with the idea of storing the user name and password against http://www.twitbin.com. Assume a scenario where twitbin.com shows a form with user name, password fields ... won't firefox automatically fill in the values?