Twitter is a sign-in identity provider too... And revoking access at Twitter or deleting your account does not necessarily break that delegation token...
I trust their security team made this happen. But it's not intrinsic.
If you've ever "Logged in" to a website or app with Twitter, you created an account with a secret Twitter holds on its servers. You don't sign in with your Twitter account. You sign in with an OAUTH token Twitter owns.
This feature was often used for signing up for "Social Media Dashboards." I know because I did it. This mean Twitter may technically have access to EVERY social account on EVERY platform to those who did it. (I never polluted streams, others def did.)
One of the highest importance things in Security is thinking as a Graph not a List. Owning Twitter doesn't get you Twitter. It gets you everything that trusts Twitter.
Article by John Lambert, one of the seniormost Microsoft people who has his hand fighting their greatest battles.
https://medium.com/@johnlatwc/defenders-mindset-319854d10aaa @johnlatw
@SwiftOnSecurity bro c'mon, this is a bit too fear-mongering-ish. Yea technically Google can access all your google-logged-in accounts too. Hell, since Google controls your email anyways, they can probably log into all of your accounts anyways. But if these identity providers started abusing those identities at scale, then they would be caught and it would be a major legal and PR nightmare for them
@azeemba @SwiftOnSecurity Google isn't run by a single Nazi loving rich man.
