I tweet every so often about product/group updates. I’ve constructed a few Twitter integrations previously.
As a part of safety analysis, I search for vulnerabilities in public APIs and cellular/net backend APIs. I usually use the free API safety testing software to run primary checks. These checks are protected and non-intrusive; they detect OAuth 2.0/JWT/Authentication flaws in APIs. Twitter and related organizations would not thoughts or see these checks.
https://apisec-inc.github.io/pentest/
I used this Twitter API OpenAPI Specification file URL for testing:
https://api.twitter.com/labs/2/openapi.json
Right here is the easy course of I adopted. I pointed the software to the Twitter OpenAPI Spec file and simply ran the fundamental checks to see what it returns.
The consequence got here again with one endpoint being open to the general public. Upon additional investigation, I noticed the endpoint was returning the API scheme, so it wasn’t a giant deal.
Conclusion: All Twitter API endpoints are safe, and no points have been discovered.
