Last night my twitter feed started filling up with messages about Twitterank; in fact there are so many messages that it's currently in the top 10 trends for the day on tweetscans.com.
Looking at the people in my feed who used it; a few MVPs, a bunch of Microsoft staffers and a couple of other technical folks it looked interested. Except, well, I'm paranoid .
Twitterank is much like a google PageRank for your twitter accounts. Cool, just what we need, more ways to feel inadequate on the internet. The interesting part of it is that it needs your username and password - and people are handing it over. The site states it won't store it, and I have no reason to believe it does, but there is no way to know. People are happily entering their authentication information in for the promise of a magic number generator.
There's already another site, twitterawesomeness.com which illustrates the futility of trying to educate people; where the disclaimer is at least honest; "I'm in ur Twitterz, stealin ur credz!"
It nicely illustrates how simple it is to gather this information; throw up a simple web site and sit back and watch. It's both amusing and worrying that people who should know better, including a couple of the geek Scotts participated.
Now yes, twitter authentication isn't that important; however do you have a clean username and password for the site? A username and password combination you don't use elsewhere? Consider that twitter is rapidly becoming part of the social networking scene and people try to keep a consistent brand on their social graph, matching usernames across multiple sites so people can find them...
I should stress, again, that twitterank may not be doing anything bad at all - but we just don't know. It would be all too easy to act as a legitimate site, offer a service and not throw away the authentication details but lay low for months, then start to abuse the accounts you have. It might even been worth some money, depending on whose accounts you get; twitter spamming is becoming more widespread. Twitter users are relying on the kindness of a stranger right now...
There's a blog up, purporting to be from the author (how do we know - it's an anonymous wordpress.com blog? is there a limit to my paranoia?). It includes the following;
Are you a phishing site? Are you going to steal my account? etc..etc..
No, I am not a phisher. I don’t even store your password. Your password gets used once to calculate your Twitterank, and is never stored on disk or any other permanent storage device. Having said that, people do need to be more careful about giving away their account information. I’m not evil, but the next guy might be.
They acknowledge there's no way for them to prove their aren't storing it either; that's a whole other problem. Heck the source for the twitterank page underscores the problem in a rather amusing html comment;
<!-- I am about to ask you for your Twitter user ID and password. You should be afraid. This is where you ask yourself, "Do I really want to find out my twitterank badly enough to give some random dude on teh interweb my account info?" And if that's not what you're asking yourself, shame on you. //-->
(I am signed up to a twitter service that tweets my RSS updates and stores my username and password to do so, I'm may well be a hypocrite!)