From comments that Twitter personnel have posted here, it sounds like they discovered a security problem and decided they needed to fix it in a hurry, so there was no time for adequate notification. I can appreciate that and don’t hold it against them.
However, I don’t appreciate the lecturing tone and the lack of clarity in Taylor Singletary’s initial explanation. He referred to the change as “flipping the enforcement bit,” which doesn’t really describe the change in terms that are helpful to developers trying to deal with the fact that their apps suddenly stopped working. Singletary goes on to make it sound as though the problem is that Twitter was “lenient in the past” and third-party developers have somehow been abusing Twitter’s generous leniency. And then he concludes, “Scraping a PIN code/oauth_verifier from the HTML page that displays it in out of band OAuth is very very uncool.”
I found this response unhelpful in several respects. First, as a Drupal developer, I was using the Twitter module for Drupal, which does not use out of band OAuth or scrape a PIN code. The comment about “very very uncool” developers who do this was therefore not only snarky but a distraction from finding and fixing the problem that caused Drupal’s Twitter module to break when Twitter made its configuration change.
As for developers who WERE scraping PIN codes, I disagree that this was “uncool.” If Twitter created a security hole by allowing this in the past, then it Twitter was uncool for creating the security hole, not the third-party developers who were just playing by the rules that Twitter created.
What is uncool is to first create a security hole, then fix it in the dead of night without any warning, and then add insult to injury by telling people who have been inconvenienced that they are to blame for the problems that you yourself created.
