Post AP9paw9FGFcZnUnS6a by RefurioAnachro@toot.cat
 (DIR) More posts by RefurioAnachro@toot.cat
 (DIR) Post #AP80JnOQJHK1MfBh2W by isotopp@chaos.social
       2022-10-31T09:23:28Z
       
       0 likes, 0 repeats
       
       Did you use  https://fedifinder.glitch.me to find me here?That is okay. The tool is legit. But you just gave a connected app access to your Twitter.You want to check that. Not for Fedifinder, but for everything else.1. Go to Settings, Security and Account access.2. Select Apps and Sessions.3. Select Connected Apps.4. Review all Connected Apps. If you find it necessary, you can revoke access there.
       
 (DIR) Post #AP80Jo5JjndJVhFwtk by flo_korn@mastodon.online
       2022-10-31T10:16:07Z
       
       0 likes, 0 repeats
       
       @isotopp I found it super ethical of fedifinder.glitch.me to offer a link to remove the access permissions right after using it! 🙏🤩
       
 (DIR) Post #AP80JobvmXil8qVzjU by Luca@vis.social
       2022-10-31T13:46:30Z
       
       0 likes, 0 repeats
       
       @flo_korn @isotopp And if you look at the source code, you will see that the user tokens don't get stored. If glitch or my account got hacked, they would only gain access to the app tokens (which can't access private user data without the user tokens). It's still good practice to remove unused apps.
       
 (DIR) Post #AP9mtFuwCN3USc9ETg by RefurioAnachro@toot.cat
       2022-10-31T12:09:29Z
       
       0 likes, 0 repeats
       
       Fritter, my favorite unofficial _accountless_ Twitter client for android can fetch follows of anyone without credentials. That fedifinder requires credentials makes it highly suspicious! Don't use fedifinder!@isotopp
       
 (DIR) Post #AP9mtGRuDnQW6rZYrg by isotopp@chaos.social
       2022-10-31T12:25:42Z
       
       0 likes, 0 repeats
       
       @RefurioAnachro Read the source.
       
 (DIR) Post #AP9mtGuyTig9Z1AmAq by RefurioAnachro@toot.cat
       2022-10-31T19:07:58Z
       
       0 likes, 0 repeats
       
       Read the sourceNice one :DWell, it's a node.js, and we know that is safe, don't we. I looked at it and its package-lock.json for 5 secs and noticed no security problems, so it's fine, isn't it? The people operating the server are surely very trustworthy, and won't run modified code. Or debugging tools. Or an exfiltrating firewall. On someone else's computer. Right?But you're correct, paranoia incapacitates, and I routinely enter my banking creds into worse, so there's that. And I do feel guilty for abusing your comment space to educate folks about security, as I should be, right?But none of this matters, because as I said: it's technically unnecessary to ask for credentials, so why would they?@isotopp
       
 (DIR) Post #AP9mtHWYE0jjRYkmkC by RefurioAnachro@toot.cat
       2022-11-01T10:11:43Z
       
       0 likes, 0 repeats
       
       Okok, that's not very helpful. But the question is nagging me. So let's invoke @Luca: why does #fedifinder require credentials when apps like Fritter https://github.com/jonjomckay/fritter demonstrate that that information is available without?@isotopp
       
 (DIR) Post #AP9mtI7lzcVjJ0AVlI by Luca@vis.social
       2022-11-01T10:25:25Z
       
       0 likes, 0 repeats
       
       @RefurioAnachro @isotopp Fritter scrapes the web interface, I use the Twitter API.I have worked with the Twitter API for many years and have friendly relationships with people working there and business relationships with the company. Building a tool that breaks their terms puts the people in an uncomfortable position and my other projects at risk of losing API access.Without the API it would be much harder to search through the profiles of private accounts.
       
 (DIR) Post #AP9mtWRmk0pxj7dgtk by Luca@vis.social
       2022-11-01T10:25:29Z
       
       0 likes, 0 repeats
       
       @RefurioAnachro @isotopp But the source code is open and if someone believes that I or the tool can't be trusted, they are free to take it, adapt it to their needs and run it on their own computer.
       
 (DIR) Post #AP9paw9FGFcZnUnS6a by RefurioAnachro@toot.cat
       2022-11-01T10:55:45Z
       
       0 likes, 0 repeats
       
       the source code is openThat is a valid point, even though that has its limits as I pointed out earlier. Apologies for my sarcastic style.lose api accessI didn't think about it that way, that you might risk your access to their api if you break their ToS. In hindsight that doesn't seem too surprising in some way, although it does leave a bad taste, that they would punish conforming projects just because an individual has embarked in such behaviour. At least, I suppose that's what they say in their ToS. Are there known cases where they enforced it?Anyways, thanks for clarifying and for your efforts to help folks switch!@Luca @isotopp