Betalist wants full read/write/delete access to my twitter just for signing up? (No joke.)
While preparing the launch of my website comparing workflow automations, I also wanted to sign up at betalist.
To my big surprise, they ask for full twitter access.
(They kindly say:'We won't post without asking'. Thank you very much!
What's your take? I think it's ludicrous. I already heard that betalist does not bring much results, but with this sign up policy I certainly won't use them.
Trending on Indie Hackers
That is pretty crazy. I should definitely start reading what these pages get access to when signing up.
Maker of BetaList here.
We recently added regular email/password sign up so you no longer need to connect with Twitter if you don't want to!
The reason we (and many sites like us) ask for all these Twitter permissions, is because Twitter does not give us fine-grained controls. We have no intent to follow/unfollow accounts on your behalf, but Twitter does not allow us to specify exactly which permissions we want.
They let use choose between "read-only" and "read & write". We chose "read & write" because in the past we did have some features where you could easily tweet your startup, share a comment on Twitter, etc.
I think we've removed most if not all of these features however. So we can probably get away with just asking for read-only access. To be honest I've been scared to change this code, because I don't want to lock out all our existing users. E.g. it's not completely clear if changing the existing app will invalidate all existing OAuth tokens.
I'll have another look as part of our upcoming redesign. But just know that you can simply sign up with email these days as well.
P.S.
Sorry for the super late reply. I didn't see this post until today. Feel free to email me anytime at [email protected] for a quicker response.
Everything should follow a Least Privilege principle, but seemingly lots of platforms do this by default. Product Hunt does exactly the same thing if you try to sign-up with Twitter. I would say it just makes for faster development to ask for everything, rather than scoping your permissions too narrowly and then having to update them. If the company is trustworthy you should have nothing to worry about, as they would potentially damage their reputation by abusing their permissions. If you're unsure, you should probably think twice.
What is the actual risk? That they might post a tweet on your account? You and many others will complain. Twitter revokes their credentials and Betalist has to re-auth everybody. The risk for Betalist is much bigger than yours. Or just mail him at marc@ and ask him about it, he is a great guy.
Cheers,
Arjen
Well you can get a criminal record in the EU for wrong thought. Or a CrimeNotCrime report. That could reduce your chances of getting a job..
Or in Australia, you could get sued if something posted offends someone and a judge forces twitter to reveal your real name.
Those seem rather real.
Even though it is posted on your account, they probably still have to prove you are actually the person who posted this?
Thanks Arjen! I agree that posting without would clearly harm betalist's reputation. But I dont really see why they ask for it in the first place? I just searched and realised @marckohlbrugge is an indiehacker too, so maybe he can enlighten us.
With Marc I did a startup back when I was still with TNW. All my integrations with Twitter are also read/write. It is just easier, instead of having to do the OAuth dance again, just to get write permissions.
Mmmh, its easier for you/betalist, or for the user. At best I would understand that they want to post on my behalf (promoting 'my' betalist posting). But why on earth do they need the right to unfollow, delete my tweets, update my profile and report accounts??
I am less concerned that betalist has evil afterthoughts, but what if they get hacked or have a rogue staff.
Not convinced yet.
As far as I know Twitter doesn't allow for more granular permissions via OAuth1, Betalist has been around for quite a while.
Besides that, even if they get hacked, the hackers will probably go after the biggest twitter accounts first.
I was about to sign up on BetaList today when I saw they wanted write access to my Twitter. No way in h**l am I giving that out just for BetaList!
Looks like they just went with the defaults. Which is never a great idea !
Full access as a default is never good! It's always better to only seek access for the exact amount of data that is required for an exact action that a user requests your tool to perform - build trust by being trustworthy rather than expecting this madness! Thanks for sharing!