Web Intent is a very open API and doesn't require a specific API relationship (you don't need to approve an "app" to do it). It is built to present a confirmation page specific to the given "Web Intent" interaction, but there have been reports over the years of adware/malware bypassing the confirmation page (or phishing the confirmation page) as a spam vector.
Web Intent is on the list of paranoia reasons to not browse the web with an active Twitter session.
Oh that is a very good one, I never ever even thought that something like that was possible, I thought that by just using a browser and a strong password that I was protected against that kind of trick.
Thank you. Between the various comments in this thread bit by bit I'm beginning to wonder how safe this setup really is. Qubes OS starts to look better by the minute...
Yeah, I've gone down some paranoia rabbit holes into isolating my Facebook, Google, and Twitter logins into their own Containers with Firefox's Container tabs. It makes for a very interesting web browsing experience that is increasingly distant from the "mainstream" view of the web. (Even beyond the fact that Firefox usage in general is so rare according to current metrics of the Chromium hegemony.) It's amazing the dark patterns that websites get into when a Facebook, Google, or Twitter tracker doesn't work or doesn't return user details. Google specifically seems to punish me with a vast increase in the number of ReCAPTCHA attempts I'm forced to make (and you start to find out how many sites still use ReCAPTCHA as their primary prevention tool).
I too am interested in what you find in your third-party apps list. That’s really the only way I can imagine an account doing a rogue tweet without your password being compromised. Especially when the rogue tweet is something related to foreign politics
