irisbusschersNov 29, 2022
Jef Poskanzer
This is the Twitter -> Mastodon friend migration tool we've all been looking for: https://www.movetodon.org/
1) authorize Twitter
2) authorize your Mastodon instance
3) wait while it greps through your Twitter followers
4) click on the ones you want to add on Mastodon
Easy peasy!
Movetodon: Finds your Twitter Friends on Mastodon

Nov 29, 2022 at 1:09amWeb
Show threadNandor πŸ³οΈβ€πŸŒˆNov 29, 2022
@jef Thank you! I used this as well.
Show threadsuldrew πŸš²πŸ³οΈβ€πŸŒˆNov 29, 2022
@jef wow that's really nice
Show threadLeigh HoneywellNov 29, 2022
@jef @suldrew it’s really quite good!
Show threadsuldrew πŸš²πŸ³οΈβ€πŸŒˆNov 29, 2022
@leigh @jef I kinda want to add them to a list somewhere first
Show threadLeigh HoneywellNov 29, 2022
@jef @suldrew fedifinder is good for making CSVs of things instead
Show threadCautionWIP πŸŽƒ+πŸ‡¨πŸ‡¦+πŸ³οΈβ€πŸŒˆ= Nov 29, 2022
@leigh @jef @suldrew Also debirdify. :)
Show threadJon Hatch  Nov 29, 2022
@suldrew @leigh @jef I tried that but didn't have much success. Have you?
Show threadJim SpathNov 29, 2022
@jef How does it handle friends already added? (I've made 2 passes already with a different tool, and expect more to be added later as people share their new spot).
Show threadElla MooreNov 29, 2022
@jspath55 @jef it shows you who you already follow, when everyone joined Mastodon and how many days they’ve actually been active on Mastodon. Pretty cool…
Show threadJim SpathNov 29, 2022
@ellamoore Thank you! Good features.
Show threadJim SpathNov 29, 2022

@ellamoore @jef Very nice; double plus good.

Results today:
2807 / 2807 Friends checked, 217 found

A few more than the last time I checked with a different tool, so this is perfect for iterative runs!

Show threadDaniel Betz  Nov 29, 2022
@jef mmmmmm grep.
Show threadLily Rose SloaneNov 29, 2022
@jef that was so easy. Thanks!
Show threadsuldrew πŸš²πŸ³οΈβ€πŸŒˆNov 29, 2022
@lilyrosesloane @jef Ya know what? I did it. If someone is annoying on the 'don, they can say hello to my little friend the mute button.
Show threadsuldrew πŸš²πŸ³οΈβ€πŸŒˆNov 29, 2022
@lilyrosesloane @jef
Show threadsuldrew πŸš²πŸ³οΈβ€πŸŒˆNov 29, 2022
@lilyrosesloane @jef I added this to https://www.sulli.info/post/700926362194755584/masto-dos-and-masto-donts
Masto-do's and masto-don'ts

I recently started spending more time on mastodon, due to the ... unpleasantries ... happening over at Tenth and Market. (My main account is @[email protected].) I have noticed that a lot of people...

Tumblr
Show threadAnita / Married with dinnerNov 29, 2022
@jef wow, thanks!
Show threadΞ²Ι›thNov 29, 2022
@jef What a wonderful tool! Thank you so much for this. πŸ˜€
Show threadEffie SeibergNov 29, 2022
@jef wow this is SO MUCH EASIER than other tools!!!!!
Show threadLaura HoganNov 29, 2022
@jef Ok, this is awesome
Show threadMichael SokolovNov 29, 2022

@jef I tried this but... At the log in to Twitter stage it fell over. I feel like I missed a step

UPDATE pebkac I neglected to enter anything in the boxes :)

Show threadAlecia Batson (she/her)Nov 29, 2022
@jef @Tibor Thanks for this helpful migration tool. Hopefully the API will remain accessible for some time. 🀞🏻
Show threadAnilNov 29, 2022
@jef I would suggest the slick new updates to https://fedifinder.glitch.me by @Luca if people need a good tool. https://vis.social/@Luca/109403163082368402
Fedifinder

Fediverse accounts of your X/Twitter followings

Show threadJjinsfNov 29, 2022
@jef Thanks for the top! That WAS easy!
Show threaddjbNov 29, 2022
@jef that was enormously helpful. Thank you for posting.
Show threadTheBlarggNov 29, 2022
@jef Yea this works really, really well, I already had 80% of these people added by using Debirdify first but this is way easier.
Show threadIrinaNov 29, 2022
@jef Strangely, it showed several people I already know I'm following, but perhaps that's on *my* other instance so I recognized their names while the tool didn't.
Show threadParamiNov 29, 2022
@jef I’m struggling to get in. Doesn’t seem to recognise my mastodon sign in 😱
Show threadParamiNov 29, 2022
@jef got it. I realised I didn’t need my handle, just the instance. Thanks πŸ™πŸΌπŸ‘
Show threadJon Hatch  Nov 29, 2022
@jef you forgot a step... Change your mastodon password after you've migrated your friends.
Show threadJef PoskanzerNov 29, 2022
@TH3R3P41RM4N Why?
Show threadJon Hatch  Nov 29, 2022

@jef because you just gave a website unfettered access to your accounts.

Better safe than hacked. #infosec

Show threadJef PoskanzerNov 29, 2022
@TH3R3P41RM4N What does that have to do with your password?
Show threadJon Hatch  Nov 29, 2022

@jef the first screen you see is "insert your twitter username and password"

Two things:
1. Your average user only uses one or two passwords across accounts.
2. The user is granting a random website access to their account to see everything from friends to email to settings (its in the fine print).

My guess, as I just saw this, is that the user gives access to your mastodon account to "migrate" friends.

Its a neat function, but anyone can buy a .org domain on namecheap.

TLDR: change your password after using this service.

#infosec

Show threadJef PoskanzerNov 29, 2022
@TH3R3P41RM4N When I ran it, it didn't ask for any passwords. Both Twitter and Mastodon's APIs use OAuth, which does not use passwords.
Show threadDoug BNov 29, 2022
@TH3R3P41RM4N @jef it's not using OAuth, eh?
Show threadJef PoskanzerNov 29, 2022
@dougb @TH3R3P41RM4N It is.
Show threadDoug BNov 29, 2022
@jef @TH3R3P41RM4N Shouldn't need your passwords, then. Or, shouldn't be giving them to the app, rather. Should only be logging in to the Twitter/Mastodon servers and granting access from there. Thus, password not compromised. That is, not shared with any 3rd-party
Show threadJon Hatch  Nov 29, 2022
@dougb @jef which brings me back to the whole 'Change your password' step.
Show threadDoug BNov 29, 2022
@TH3R3P41RM4N @jef I don't understand. If it's OAuth on both sides, there's no reason to change your password.
Show threadDoug BNov 29, 2022
@TH3R3P41RM4N @jef But, if it _is_ OAuth, the app/site should not be asking for your password. It should only be sending you *to* Twitter and Mastodon to enter them there. If it's asking for your password, there's a problem. That is, it *isn't* using OAuth
Show threadJon Hatch  Nov 29, 2022

@dougb @jef there is a mistaken belief across developers that OAuth on its own is an authentication method...

https://oauth.net/articles/authentication/

End User Authentication with OAuth 2.0 β€” OAuth

Show threadJef PoskanzerNov 29, 2022
@TH3R3P41RM4N @dougb I don't know what that means. I'll reiterate: it didn't ask for my password.
Show threadJon Hatch  Nov 29, 2022
@jef @dougb it didn't ask for your twitter password?
Show threadJef PoskanzerNov 29, 2022
@TH3R3P41RM4N @dougb It didn't ask for any passwords.
Show threadJon Hatch  Nov 29, 2022
@jef @dougb it asked for mine. I'll take another look when I get to my computer.
Show threadJef PoskanzerNov 29, 2022
@TH3R3P41RM4N @dougb If Twitter or Mastodon asked for your password, that just means you were not yet logged in on that device. If Movetodon asked for your password, something is very wrong.
Show threadDoug BNov 29, 2022
@TH3R3P41RM4N @jef No, I understand that. I guess I should say, "if OAuth is being used correctly, the whole point of it is to *not* give your password to a 3rd-party"
Show threadJon Hatch  Nov 29, 2022
@dougb @jef let me get to my computer and I'll take a deeper look.
Show threadJon Hatch  Nov 29, 2022

@dougb @jef

Here is what I see when I'm logged out of twitter. Notice that while it is a twitter API, you are giving a third party access to your data via an api.twitter.com. That API is a unique instance to movetodon, and it grants movetodon the rights to essentially see all your information on twitter.

Show threadDoug BNov 29, 2022
@TH3R3P41RM4N @jef If the URL in your bar is movetodon.org, it will have your password, and I wouldn't use it. If it's twitter.com, movetodon won't have your password. If you don't like the permissions it's requesting, don't use it. If you do, but don't want it to be permanent, you remove the apps access after. But still don't need to change your password (and that wouldn't help anyway).
Show threadJon Hatch  Nov 30, 2022

@dougb @jef

I'll yield that the information it pulls is fairly outlined in the actual index javascript (script.js?1669585534) which is located in the developer screen on the landing page.

The getTwitterToken () function essentially looks for a twitter token that reflects you being logged on. That's why you didn't see the same login screen.

I'm still a fan of rotating passwords especially when you use a 3rd party app as a practice.

If you don't have a password vault, definitely look into getting one.

Show threadJef PoskanzerNov 30, 2022
@TH3R3P41RM4N @dougb Not gonna wade through that. The essence is that Twitter and Mastodon both use OAuth to authorize 3rd-party apps, and OAuth does not give apps access to your password. There is no password exposure in using this app.
Show threadJon Hatch  Nov 29, 2022
@dougb @jef or JWTs from what I can see... Granted I'm on my phone...
Show threadOliver Nov 29, 2022

@TH3R3P41RM4N @jef looking at this thread I think I see where the confusion is. Jon, the "insert your Twitter password" page isn't on movetodon, it's on Twitter. That's why you don't see it if you're logged in to Twitter already. It's your standard oauth flow.

Movetodon does not see your Twitter password.

Show threadlobsterNov 29, 2022

@jef Dumbo, you iz big and all grown up   How iz my friends the crows who gave you the magic feather …

https://youtu.be/HAV9TGctF1E

Dumbo (1941) - The Magic Feather

YouTube
Show threadMatt StewartNov 29, 2022
@jef
No way. Folks should have to curate 6 different csv exports on a phone with a bad row of pixels like we did back in the day, uphill both ways, otherwise they are not hardcore enough to live here.
πŸ˜β€‹
Show threadMichael ThΓ©riaultNov 29, 2022
@jef Done. Thanks.