Twitter has announced that they will no longer whitelist applications to get them around rate-limiting on their APIs. It’s not a conventional security issue, but it’s illustrative of some of the issues in them.
Applications running on Twitter use their API to gain access to users’ friends, their tweets, and other data and do things with them. 3rd party Twitter clients like Tweetdeck (my favorite) use the APIs to provide basic Twitter service, but other apps might follow a network of your users and their users, etc. Some of these applications have high-volume needs for the API.
But Twitter can’t let just anyone make as many calls as they want into their system. Normally, users, apps, and IP addresses are rate-limited depending on the circumstances.
Normally apps are limited to 350 requests on a user’s behalf every hour. Twitter used to allow companies to request that a registered app be put on a whitelist and get a far higher limit (20,000/hour). They will still keep the whitelist operational for those who were approved in the past, but will approve no new ones. So now, unless you use the relatively new Twitter Streaming API, you’re stuck with the 350/hour limit.
Many of those app vendors are not too happy about the change. See the link up top to the announcement, which was on a Google Group, and follow the responses from developers. This guy is pretty mad too. Many seem to feel betrayed by the company’s request that they “…focus on what’s possible within the rich variety of integration options already provided…”
The availability of the whitelist encouraged developers to develop apps which assumed a much higher rate than 350/hour. One developer relates how his app has to make requests of all of a user’s followers. If a user has thousands of followers, this can take impossibly long, and some have much more. Barack Obama, for example, has 6,630,737 followers, and he’s only #4 on the list of the Most Followed.
The change shows how Twitter has run up against the practical limits of trust. The rate limits are in there to prevent denial of service, whether intentionally, through sloppy apps, or even just bad luck. Any regular Twitter user knows that the network isn’t exactly “4 9’s” reliable, and every outage must embarrass Twitter and enrage app vendors.
The lesson here is that whitelists must be fairly exclusive to be effective. Membership in the Twitter app whitelist gives an app the ability to suck capacity away from everyone else, especially if it gets popular with the wrong people. Twitter seems to be dealing with the problem by providing new technologies for high-volume access, and this is probably the right way to go about it. So be careful about what you whitelist or you may end up making stakeholders mad.