Cartoon: The Worm Has Turned
Last week's flurry of Twitter DM spam from hacked or phished accounts wasn't the first instance of that and won't be the last.
As long as people are willing to trust their Twitter log-in information to third parties - and don't look carefully at URLs before they log into websites - and as long as a small number of bad actors want to pee in the social media swimming pool, this kind of thing will continue happening.
And it's not just the log-in-here-and-we-will-steal-your-password.com's of the world you have to worry about. Legitimate third-party services whose security isn't up to snuff could be compromised, and your credentials could be stolen from them. Twitter's use of OAuth is a big step forward... although the rash of Mobster World spam shows that that isn't a perfect solution either.
Apparently there's no substitute for ruthlessly and constantly policing your own feed, thoroughly investigating services before you sign up for them, double-checking the URL every time you are about to enter info into a form, and regularly purging your OAuth settings of services you no longer use.
Also, to be safe, change your password regularly... you don't have to be obsessive about it: every three hours or so should be enough. And because erring on the side of caution is always a good idea, fake your own suicide and change your identity at least once a year.
And you thought Twitter was going to be fun? Slacker.
Share
Facebook
Comments
Subscribe to comments for this post OR Subscribe to comments for all ReadWriteWeb posts
Great post and draw. Thank you for sharing.
I've heard people that creates hundreds of fake accounts only for spamming/advertising, or to fake popular users with many followers.
That puts Twitter in a very bad light, and expecially if they want to compete with Facebook as "Single-Sign-On" service, like Facebook Connect.
I'm developing a service that is currently using Facebook connnect only, and because of articles like this one, twitter is a big question mark
http://itok.in
One way Twitter can mitigate some of this is to support more nuanced permissions, and lean on developers to only request elevated access when they need it. For example, disqus does not need read/write access to my Twitter feed, but asks for it anyways.
Most applications should never have access to send DMs (client software being the notable exception), and many shouldn't have access to send updates at all. In any event, these actions should be configurable by users, so even if an app developer wants to be able to send DMs, the user should be able to over-ride that privilege.
I don't authorise many applications, because the increased openness that OAuth has enabled means that app developers are taking greater liberties with the account once they have access. Changing this dynamic would be great for users, and great for Twitter, not to mention broaden people's understanding of how OAuth can be a powerful tool beyond addressing the password anti-pattern.
Why are the Americans obsessed with making money all the time
We have a saying in the U.K. What you never have you never miss
And as long as you have good health, enjoy life to the full, spend what you have and enjoy
And remember when you are dead you cant take your money with you
@blaine - Great comment, and no disagreement from me - I'm leery of authorizing pretty much anything for fear that one of those cringe-worthy "I just became a GOLDEN UNICORN in PRINCESS WORLD!!!" tweets will go out under my name. Er, just an example. Purely hypothetical.
Any of the more technically-minded folks here want to weigh in on Twitter, OAuth and granularity?
2000 yılından bu yana iş elbiseleri, promosyon ve bilumum proje bazında ve teklif bazında hizmet vermekteyiz. Kurucusu ve sahibi olduğum firmamın bu günlere gelmesinde büyük emeği geçen iş ortaklarıma, derin tecrübelerine ve siz değerli iş ortaklarımıza büyük teşekkür borçlu olan firmam, çalışanları ve ben her gün ve her projede daha bir çok yeniliği tekrar tekrar amatör ruhla kuçaklamaktayız.
İlayda iş elbisesi Adına Saygılarımla Kürşat Kanburoğlu
Thanks