I have come to love Twitterrific and while realizing some security issues I was having with Google’s Gmail Notifier, I uncovered yet another security concern. It appears that Twitterrific does not connect to the Twitter service via HTTPS, and rather, connects via HTTP and authenticates over plain text! WTF IS THIS!

I looked all through preferences just to make sure I didn’t miss somewhere, but, nope, no option to enable SSL or encrypted logins. I can understand downloading updates after an initial encrypted login is made for overhead on Twitter, but the clear text HTTP post for passwords is crazy! I had to do some digging and here I found how to correct this via the command line in Mac OS X:

defaults write com.iconfactory.Twitterrific protocol -string “https://”

I did one better and found a way to do it, “graphically” for those too afraid to mess with the command line in Mac OS X. It essentially does the same thing as the command line above. Here is how:

• Double click “Macintosh HD” (or whatever your hard drive is called)
• Click your username under “Places” (we are navigating to your user’s home directory)
• Double click “Library” under your home directory
• Double click “Preferences”
• Find the file “com.iconfactory.Twitterrific.plist” in this location and double click it, it should open in a program called “Property List Editor” which is a plist editor for this particular kind of file
• You will see a “Root” under the “Property List”, expand it (click the arrow next to Root) so you see all the “Child” variables to “Root”
• Highlight “Root” then click “New Child” then enter the name “protocol” (without the double quotes)
• Make sure the “Class” section for “protocol” says “String”, if not, use the pull down to change it as such
• Enter in for the value section of “protocol” “https://” (without the double quotes)
• Quit and click “Save” when prompted

When you restart Twitterrific, it will start connecting via HTTPS.

I don’t get why the developers put this in the plist if they didn’t at some point expect to have that functionality used. If that was the case what is with the lack of an option in the configuration area for this tool? At any rate, pissed off as I am that it has been doing this for so long, but now its secure, I guess I am now going to have to audit all my passwords again … sigh.

Oh and a major plug to the makers of Little Snitch, Objective Development! You can pick up this software here. Without that program, I probably would never have suspected such a glaring security issue was occurring. Pretty handy little program.

I hope this isn’t the case with the iPhone version of Twitterrific. I don’t like having to check behind every damn tool or application I use. In this day, it is simply inexcusable to not think about security first in your application development.

**** Update ****

Okay so I guess I am an idiot for not reading the “Read Me” file in the Twitterific download. It states:

protocol -string “http://” Allows Twitterrific to be configured for other protocols, such as “https://”.

Which is basically what I outlined above. I received an update from their support stating that the next version will have this by default for both clients, Mac and iPhone. So hopefully that comes very soon! Good work guys!