Friday, 9 December 2011

Twitter needs a radical change of security NOW

I wrote a post a while back titled Your Twitter security is an egg, not an onion, explaining how Twitter only has one front door, like your house, and if you let people in, you let them in - after which they have access to everything, including your Direct Messages.
A few months after that, Twitter finally changed its security model and now it makes a distinction between complete access, or access to the account without Direct Messages

A little bit better, but still a major failure - as just got proven by spammers (intentionally not a clickable link) is the worst crapware site I've seen around Twitter so far. In fact, it needs to be destroyed, that's how bad it is - let me explain.

Twitter lets you authorise other applications via a secure authorisation mechanism called oAuth. The great benefit is that you authorise that application from within your twitter application - no passwords exchanged.
If you change your password (or even username, together called credentials) in Twitter, authorisation in between Twitter and the other application is not modified.
So, not only does the other application have no access to your password, but it also doesn't need to be kept up to date with your credentials

Now, what happened with this new oAuth? And how did this site take advantage of it? Apparently, Twitter's new oAuth forces you to decide about access to Direct Messages but that's it. I thought that was pretty smart but I've now changed my mind - here is the authorisation you give away period:

You can see the options:

  • Read tweets from your timeline
  • Check who you are following, and add new people to that
  • Change anything in your profile
  • Tweet in your name
  • (NOT) "Access" your direct messages
  • (NOT) See your twitter password

Now why is this list so very unsatisfactory? For many reasons.
First, if you look at your Twitter web tabs, here is what they give you under Settings:

  • Account: user name, email, geo, language, timezone, etc
  • Password: neither old Auth nor oAuth ever had access to that
  • Mobile: your mobile number and the country it's used in
  • Notifications: email actions upon messages, activity and update events
  • Profile: picture, name, location, website, bio, link to FB
  • Design: your twitter web background
  • Applications: all applications that have access to your Twitter account

and then on the Home page you can tweet, @reply, and view profiles of others, etc.
Next to that there is also a menu item called Profile, one called Messages, and even one called Who To Follow.
Can you match that with the above? No, absolutely not. So, what do we give away when we authorise an application? Simple: everything including full Direct Message access, or everything excluding full Direct Message access

Now take the Facebook permission model, in essence the same: a layered authorisation model where multiple specific premissions have to be granted by the user, with only a very few basic permissions that don't need authorisation. Better? Way better

So, Twitter, let's cut this post short please. What have the spammers done? They gained authorisation in the new way, where the application doesn't even have access to Direct Messages. But:

  • They forced everyone to follow @clare2284 who is suspended by now thanks to relentlessly being reported for spam by everyone I told to do so;
  • They changed the website in your Twitter bio to point to their website: (again, not a clickable link on purpose)
  • They made you tweet: "OMG I have spent 16:45 Hours on twitter!!, Find out how much time youve spent on twitter" or something like that, where the number of hours and minutes almost always is fixed

They did all that, with the minimum set of authorisation currently possible in Twitter.
So, you couldn't have give them less access to your twitter account, yet they did all that.
How to undo all this?

  • First, revoke the Access you've granted. Go to Twitter web, and your Application Settings: and Revoke Access to all applications you don't know of - (you should do this on a two to three-monthly basis anyway)
  • Second, go to your profile and fix your website:
  • Third, check who you follow: this spamware application will probably change the default follow now the account has been suspended. If you follow on a normal basis, checking the last 3-5 should be enough
  • Fourth, remove the original tweet you were forced to send out, minimalising the chance that someone else will click it
Update December 9th 13:48 CET: Application is also called "tocktickclock" and lets you follow Tweetsmania, which is not a spam account - on the contrary. This proves the adaptability of these spammers, and their evil intent. It also replaces your bio by Please Follow my best friend @tweetsmania which feeds the suspition that the maker of this is Dutch

The above application now uses as URL:
Its next iteration is which uses "topscore2283 by" as autorisation application title

Outdated information:
The bot now uses as URL:
It now forces you to follow: John Colt (please just go ahead and report him for spam, thank you)

This will change on a daily basis and probably even faster. Bots will keep tweeting old and new URLs, and this will become very ugly very soon unless we all stay sharp. Please fix your own account if it got compromised, and help others too. Nothing to be embarassed about, trust me. I've been a techy for 30 years, and caught as well...

Updated December 13th 15:03 CET: it seems to have decreased in aggressiveness. The current application is called "nice1 - just for fun" and it will only force you to tweet - not make you follow anyone, nor change your profile. It is unclear whether Twitter has fixed this, or the spammers themselves have changed it. Anyway, stay alert...

Twitter, this is just a little guy exploiting your sloppy permission architecture in an immature way. Fix this before someone really hurts the TwitterSphere - let me tell you, it is very, very easy this way

0 reacties:

Post a Comment

Thank you for sharing your thoughts! Copy your comment before signing in...