The fact that it will be implemented in a web app makes it security theater from the start. It doesn’t matter how key management works.
If someone with access to Twitter’s servers wants to read DMs, they will now need to include an extra snippet of JS in the frontend response of the user they’re targeting for a single request. It’s (maybe) a bit harder than getting the message right from the DB, but still not much of an obstacle for a motivated insider.
If someone with access to Twitter’s servers wants to read DMs, they will now need to include an extra snippet of JS in the frontend response of the user they’re targeting for a single request. It’s (maybe) a bit harder than getting the message right from the DB, but still not much of an obstacle for a motivated insider.