Thanks, FriendFeed and Twitter users.
After my previous post, I started a thread in FriendFeed that not only linked to my previous blog post, but included an additional graphic that focused on the dialog box itself (I began to suspect that the message at the bottom left wasn't related to the issue).
In addition to the wise messages urging me NOT to pass my credentials to this suspicious dialog box (I didn't), I also got a couple of comments from FriendFeed user Chacha:
They are having problem with it. A lot of sites are getting this problem.
It has to do with an error in the badge
And Chacha was right. Other people were reporting the problem.
“@twitter - All of a sudden, my website's Twitter badge is asking vistors for a name and password (Twitter API). What's going on?”
“@johnbattelle twitter has screwed up something and is password protecting user timeline calls from the twitter badge on your site (and o ...”
“@dacort ah - problem solved, ty "Twitter made a change to the api that the badge is calling". will reinstall in the morning :)”
“a few people saying that my site is newly asking for twitter credentials. no idea why. have blown out twitter badge for now.”
“@josiefraser Twitter made a change to the api that the badge is calling. Not sure if they're aware yet...”
“If your blog is asking for Twitter credentials, try commenting out your Twitter badge javascript (for now)”
Well, I couldn't figure out how to comment out Javascript, so I did the next best thing.
At one point the widget included the URL
I simply changed that URL to
and that quick & dirty fix seemed to take care of the errant login requests.
[UPDATE 9 JANUARY]
Hold on that thought. Two users on getsatisfaction.com said that was a really bad idea.
Eric commented
Do not replace twitter.com with some domain that is not Twitter, or your own site! Doing so gives that site access to your user's cookies, and generally allows that site to run any JavaScript they want to on your site. It's better to just remove or comment out your badge for the time being.
alanjcastonguay commented
That's not a fix, or even a workaround. You're sending every visitor's browser to do an extra DNS lookup on xxxtwitter.com (which does exist, appears to be a pornographic parking page), and then make an HTTP request to that server, which returns a chunk of html instead of a 404 or javascript blob. User's browser sees script errors trying to execute it. Recommend to instead comment out the script. Sphere: Related Content