A funny thing happened on the way to the forum. Or at least, a funny thing happened over the weekend with regards to Twitter, spam and phishing (from Chris Pirillo). I really had no plans to outline my thoughts on the scam, because it is already being covered ad nauseum. However, I feel like I have to anyway.
The scam operates like any typical Windows worm and begins with a DM from a victimized Twitter follower. That direct message contains a link to a malicious (and unnamed) domain that screams “password stealing”. Nevertheless, gullible Twitter users click on the link and enter a page that looks an awful lot like the Twitter.com login screen (okay, it looks identical). The user enters login information thinking they are logging into Twitter and, in the blink of the eye, a malicious site has access to your Twitter account information.
This is a very important concept to get. The user inadvertently gives Twitter account login information to a malicious site. I will rail more on this concept in a bit. Keep it in your mind.
The malicious site then proceeds to send DMs with the infectious link on behalf of the user. I have gotten seven of these in the past 24 hours.
Folks, Twitter is like email. You can be infected by the innocence of friends, Please be careful. You really don’t want a malicious sites having access to confidential business ideas, your common and unchanging password that you use everywhere, or intoxicatingly passionate messages to your lover. Be wary of this scam and tread lightly. If you get a message like this, contact the sender and advise them to change their password immediately. Unlike email worms, you cannot be affected by merely looking at the DM – only by clicking the link.
There are several problems here, as there are with most internet security problems. One is the technical problem (site can login and perform actions on your behalf). The other is a psychological problem (Twitter users giving away their username and password to untested, unvetted and untrusted third parties).
Twitter promises that they are working on a solution to the technical problem and that it will look like some form of OAuth, an authentication protocol similar to OpenID for application to application authentication. OAuth, when instituted, promises to provide a passwordless trust and authentication framework that should solve the problem that requires third party Twitter apps to request a users login information. However, for all their promises and the urgency that is increasing among developers, Twitter does not seem to be in a hurry to provide this protocol.
Additionally, computer users have been relentlessly brainwashed by anti-virus companies, corporate computing policies and other persistent reminders, to adhere to basic security practices. Don’t open attachments from unknown users. Run anti-virus. Use hard to guess passwords and change them often. And so on. And so forth. Folks, these concepts are basic life-guiding principles and apply on the web too. Don’t give away your username and password to anyone. Ever. Unless they are vetted and trusted by you and you understand what the ramifications are.
In the absence of an OAuth-style technical release from Twitter, and the lack of consistent user discipline, it is my recommendation that Twitter users no longer provide third party apps with their login information, regardless of how compelling the app is. It is not safe and it is an unwise security practice that flies in the face of everything you have been learning for years when it comes to your own personal computing practices. Twitter apps are defined as anything Twitter related that is not directly on the twitter.com domain.
Maybe Twitter will get serious about their security here.
Photo Credit: dinobirdo