A blog entry by Mike Chapman on devblog by oneforty. is causing quite a stir on Twitter. Mike writes that
Currently Twitter application developers are given 2 choices when registering their apps – they can either request “read-only access” or “read & write” access. For Twitter “read & write” means being able to do anything through the API on a user’s behalf. These course-grained levels push most apps to choose “read & write”, in case they want to tweet on the user’s behalf, or make it simple to follow a Twitter account. Anecdotally, of the 130 apps & Twitter-integrated websites I’ve approved 91% have full read & write access to my Twitter account, with the other 9% having read-only access.
Of particular concern to many, he also writes:
In reality any app you have granted access can read all of your DMs. As an example, if you can get Michael Arrington (@arrington) to try your site and use Twitter OAuth you can now read all of his DMs. That might be tempting to an unethical few. And the challenge to Mr Arrington would be to even know that they were read without his permission. Twitter would have the logs of the API calls, but how would he know it happened? Or which app to revoke if he suspected it?
Read more on devblog by oneforty.