Please don't give away your Twitter API keys to Cloudinary

https://shkspr.mobi/blog/2023/07/please-dont-give-away-your-twitter-api-keys-to-cloudinary/

My CDN just asked me for all my Twitter API keys...

WTF? This would give them complete access to my app's Twitter account, the ability to send and receive messages, and anything else that my API key allows.

Giving them - or anyone - the entire set of credentials would be a very bad idea.

What's going on?

Twitter's slow-motion collapse and hostility to developers is causing a whole bunch of second-order effects.

Lots of services let people log in to them using Twitter. It is (was?!) a quick way to do identity management without having to bother the user with a separate username and password. Once someone has logged in, it's nice to be able to show their user avatar.

Annoyingly, Twitter never had a simple solution for that. You couldn't take my username - edent - and then grab twitter.com/edent/avatar.jpg. Instead, you had to perform an API call to get the image.

So a whole bunch of services started up which would retrieve Twitter avatars based on username. And they also did the same for Facebook, GitHub, Google, and lots of other OAuth providers.

I was using Cloudinary's Social Media Profile Pictures feature. But with Twitter's complete inability to serve API users, that functionality is going away.

Last week Cloudinary said that they could keep the functionality going if I was willing to provide my API keys. I (somewhat impolitely) complained to Cloudinary that them asking for all the API keys was a security nightmare. They responded (politely) to my points:

I completely understand your concerns. Twitter's recent limitations to their API have made it so that we are unable to continue to use our own API credentials to allow customers to fetch Twitter assets, and so we must implement customer credentials instead. We were working on a long-term resolution, but they cut off our API access without warning, and so the temporary solution to minimise disruption was to request your credentials so our backend team can add in a rule to run your Twitter API requests with your own credentials. As such, we require both the API key and secret, along with the access token and secret.

...

As mentioned, this is just a temporary measure in order to ensure continued delivery of your assets. If you prefer to wait until we have a customer-facing portal to enter your Twitter account credentials, then you are certainly welcome to do so. Unfortunately I don't have an ETA on when such a solution might be available, however we will do our best to keep you updated.

I understand that they don't want users to have a degraded experience. And I understand that Twitter have screwed them over. And I'm sure that they're a thoroughly trustworthy company who will never get hacked. But asking customers to fatally compromise their own security like that is not acceptable.

Can't you just...?

Twitter doesn't offer a stable avatar service. Users can change their profile picture at any time, and the URl to the old image stops working. So caching the profile picture URl often leads to a broken image. Caching an old image can mean showing something outdated.

The API rate limits are pretty small for any service with heavy traffic.

Not showing a user image - or just the Twitter icon - could work. But it makes for a pretty crappy experience.

Telling everyone to leave Twitter and join Mastodon would be nice.

Creating a bespoke read-only API key could work - but Twitter now limits the number of apps a develop can have unless they pay stupid money.

It is entirely understandable that people would panic and hand over the keys to their (digital) kingdom. Fear makes people do dangerous things.

Anyway, this Mastodon post sums it up the best:

Post by @RickiTarr View on Mastodon