Twitter Fails to Notify Developers of API Changes

Twitter may not have had its easiest week with the recent hackings and the ensuing media coverage of the leaked documents so it could be forgiven for failing to inform developers about changes in its APIs. Still, some didn't agree, like SociaToo founder Jesse Stay who was rather upset with the lack of communication after Twitter changed the limit of uses per hour on a particular method.

The method in question is verify_credentials() and is used to check the username and password of a user. On June 29 the method had a new limit put in place, allowing applications to only use it 15 times per hour. When asked by Stay about the changes and the lack of communication Twitter representatives responded in an email that developers hadn't been notified “because [we] assumed (apparently incorrectly) that people were only using this method occasionally.”

The new limit was added as a precautionary measure as Twitter believed that it could be used as an attack to forcefully acquire the login credentials of users. The entry for the method on the API developer wiki had been in fact updated on June 29 but the developers weren't otherwise notified. The entry read: “Because this method can be a vector for a brute force dictionary attack to determine a user's password, it is limited to 15 requests per 60 minute period (starting from your first request).”

This isn't a first; Twitter has done something similar, having recently raised the limit of API calls from 100 per hour to 150 but failing to notify the developers. While better communication on the part of the social networking site could have been expected in this case, the modification was rather small and there wasn't too much harm done. However, coming from a company with a history of sometimes poor relations with the developers using its APIs it may have been more cautious of them to announce the changes.