With No Notice, Twitter Adds More Limits – Password Trouble Ensues – Stay N Alive

With No Notice, Twitter Adds More Limits – Password Trouble Ensues

Posted on by jessestay

twitter fail whaleTwitter is up to their old antics of adding limits again, changing the API, and not telling developers as they do so.  This morning Twitter released into production new limits around their verify_credentials() method in the API, only allowing users to verify their usernames and passwords through Twitter applications 15 times per hour.  The problem is they didn’t tell any of the developers.

Sure enough, searching Twitter (the issues are intermittent), users are having password issues across the Twittersphere, wondering what is going on.  It even affected my service, SocialToo, as we were using that method as a backup to verify users were indeed authenticated (and hence enabling us to notify them if they forgot to change their password with us).  I e-mailed Twitter, and while very respectful as always, they seemed surprised at the issues we were having.  When I asked if it had been announced anywhere they responded, “It wasn’t, no, because [we] assumed (apparently incorrectly) that people were only using this method occasionally.”   There has still been no announcement by Twitter on the new limits.

Apparently, on June 29th, new text was added to the Developer API Wiki stating (regarding the verify_credentials() method in the API), “Because this method can be a vector for a brute force dictionary attack to determine a user’s password, it is limited to 15 requests per 60 minute period (starting from your first request).”  The new limits don’t appear to have been put in place until this morning however, as that is when we noticed it at SocialToo.

So if you’re using the verify_credentials() method in your app, you may want to consider finding some other way to be sure your users are verified – I’m happy to announce it here.  It now only takes a few runs by only a few apps to hit that limit for each user, and then users are stuck in the water until the next hour is up until apps begin to adapt to these new limits.  That is why we’re seeing the issues across all of Twitter.  According to Twitter, the best way is to look for a 401 response code returned in your API calls, as unauthenticated users will return as such when using the API.  Twitter only suggests using verify_credentials() for new users.  My conversation with Twitter ended with the suggestion from them, “Migrating to OAuth avoids the risk of a user changing her password, FWIW.”

FWIW, OAuth is still in beta and not yet suggested for use in Production. In their exact words, “For us, ‘beta’ really means ‘still in testing, not suitable for production use’.” In other words, use the Twitter API at your own risk.

You can follow the password problems as they happen in real-time on FriendFeed below:

http://friendfeed.com/search?q=password+service%3Atwitter&embed=1

52 thoughts on “With No Notice, Twitter Adds More Limits – Password Trouble Ensues

  11. For anyone capable of subscribing to an RSS feed, there is one for the API Wiki: apiwiki.twitter.com/rss.xml

    Perhaps Twitter application developers should subscribe and pay attention?

    Not sure, but this appears to me as whining by small-time developers that are failing to utilize the tools Twitter provides.

    People may have noticed that Twitter has had some security issues? I've had little free time to spend on the 'interwebz' (I love summer in the Rockies), but I've noticed they've been in the news because of security problems. When developing applications on top of a growing and morphing start-up's API, it is probably best to figure out what that start-up is going through and how best to work with them (i.e. follow the RSS feed from their developer wiki).

    [I left this same comment on RWW, but they like to censor comments (unless it is spam or self-promotion), so I am placing it here as well.

    Reply

  12. If developers are using the oAuth methods on an ad hoc basis without storing credentials, it needs to verify_credentials each session (or call, if sessions are not being set)

    Reply

  15. Twitter clients need to start realizing they are a dime a dozen and not a real business. Relying on twitter as your business model is just plain dumb. So blame yourself.

    Reply

  19. Belinda, dumb or not I still have a business and customers relying on what I
    started. It is a revenue source, so I'm stuck with it, like it or not. And
    so long as Twitter provides an API they have a responsibility to respect
    those that are using it, or risk losing the power of their platform
    altogether. Am I (and many other developers) focusing on other platforms as
    well? Yes, I'm not that dumb. However, so long as Twitter keeps making the
    same mistakes I'm going to continue calling them out on it.

    Reply

  20. Boyd Brewer, I follow every change that goes through that – do you? Have
    you even tried? There is absolutely no way developers can pay attention to
    and know when changes to the Wiki are important to them. Twitter does have
    a channel for this though – they have both a blog and a API Announcements
    list for this. When these changes are going to be put in place developers
    need to be made aware via these means with plenty of notice ahead of time.
    It's ridiculous to think developers should track every single change to that
    wiki to know what's going to change in the future.
    And whining? Who's whining?

    Reply

  22. Jesse, if I'm reading the revision tracker correctly, the new text was added to the API wiki page just two days ago. June 29th was the date of the previous revision of that page. See http://bit.ly/15z2MW Interestingly, the June 29th revision changed “API rate limited” from “true” to “false”.

    Reply

  27. Stay: I should have realized you would respond in this manner by betraying my trust (my personal info isn't required to enter into such a discussion). You are asking for a heap of trouble addressing me by a name that I didn't give you the right to. I respectfully ask that you edit that immediately, as that is not how I addressed you. I'm frankly baffled. Obviously, you can do whatever you would like, but this demonstrates a complete lack of respect for my wishes (and a lack of class) and it is a complete insult You're making this personal. Are you certain this is how you would like to continue on this path? I can fly out and meet you and your family in person to explain my privacy preferences, if that is what you would like.

    On topic: No, I don't follow the developer feed because I'm not a Twitter developer. If I were, and my livelihood depended on that API, I would make sure to follow every move they made. You are whining about a change to the API whether or not you would like to acknowledge it or not.

    Reply

  28. Is this rocket science? Do you think I had no results for a search on my name for no reason? You are quite obviously trying to intimidate me. I left my email address if you need(ed) to get personal. Your choice of action is telling and unfortunate.

    Reply

  29. I realize both the simplicity of an RSS feed and someone's privacy preferences are difficult to understand. I pity you and have zero sympathy for what befalls you or your family. Did I address you differently from what you have noted as your name? Make no mistake, I'm pissed.

    Reply

  34. Wow – is that a threat? I'm starting to wonder if I should call the cops on this one (seriously – what you're doing here is bordering on stalking). I'll save the trouble and block your comments and flag the previous as spam. I call everyone by their names when they provide it, which is what you did. If you don't want your comment here I'm happy to mark it as spam, which is what I'm going to do, starting now.

    Reply

  41. Thanks for writing about it! They should really start having communication lines, Twitter and their developers. Not everything that seems obvious to them is the same way for everyone.

    Reply

  42. Thanks for writing about it! They should really start having communication lines, Twitter and their developers. Not everything that seems obvious to them is the same way for everyone.

    Reply

  48. […] new here, you might want to subscribe to the RSS feed for updates on this topic.SocialToo founder Jesse Stay has alerted us (and the rest of his blog readers) to certain Twitter API changes that may be detrimental to many […]

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *