UK Web Focus

Innovation and best practices for the Web

Archive for December 1st, 2009

Lessons From Twitter Spam

Posted by Brian Kelly on 1 December 2009

Background

On Saturday morning I received a number of Twitter messages informing me that my Twitter account had been hacked, with a number of spam messages being sent from my account. The message (which I deleted as soon as I spotted it) read:

see if your iq is higher than mine. take the iq quiz here: {URL removed}

As can be seen from a Google search this spam message is to be found on many Twitter accounts.

Blog posts entitled “WARNING: New Twitter DM Spam Attack” and “IQ Quiz Mobile Scam Hits Twitter” provide further details about this spam attack. I have followed the advice provided in these posts and have changed my Twitter password. This advice was also suggested in tweets from @karenblakeman and @joecar who notified me of the problem as soon as they spotted it. But as I have previously suggested that it can be more effective to learn from problems rather than successes I feel I should explore the possible causes of the spam emanating from my Twitter account.

Using Third Party Twitter Services

The obvious suspect will be subscribing to a third party service using my Twitter username and password. “You shouldn’t divulge your Twitter username and password to other services” might be the obvious lesson to be learnt. And yet part of Twitter’s success is due to the way it has provided APIs which enable a thriving ecosystem to develop applications which enrich the core Twitter experience. Accessible Twitter, for example, provides an accessible Twitter client which is designed for use with assistive technologies. And to use the service you need to divulge your Twitter username and password to the service.

OAuth

Ideally such services would support OAuth which, as described in Wikipedia “is an open protocol that allows users to share their private resources (e.g. photos, videos, contact lists) stored on one site with another site without having to hand out their username and password“. I’ve noticed a number of tweets over the last couple of days which have been generated by the Tweetcloud service, which provides an example of a service which you authenticate to using OAuth.But what do you do if OAuth isn’t supported? Over time, as more services start to use OAuth, this probably won’t be an issue. Until then, however, I think there is a need to acknowledge that people will use their Twitter credentials with other services and, as is likely to be the case with Accessible Twitter, users will benefit from their use of the service and the service will manage the third party’s username and password as it would its own. But when accessing such services there will be a need to consider the risks – your account could, potentially, be compromised and you could find yourself apparently spamming your followers.

It Was Phishing!

Chris Sexton was another victim of the Twitter spam. And as she described in a post entitled “Gone Phishing” the problems was actually due to “a very straightforward phishing scam“. It seems that we may have followed a link which took us to a spoof Twitter login page and this was how our password were stolen. Further details are given in a post on “How to prevent your Twitter account from being hacked!“.

Lessons

As Chris described: “I use tabs in my browser and have lots open at once, and sometime in the next few minutes went to one which looked like a Twitter log in screen – so I typed in my user name and password. Duh.” Indeed. And like Chris I have multiple tabs open and use multiple devices. We’ve both learnt a lesson of the dangers of too much multi-tasking!

But Let’s Not Forget Other Risks

This episode may have proved helpful in providing a reminder of the dangers of phishing sites – and I hope this post proves helpful to other Twitter users. But there are additional risks to be aware of. For example your Twitter account could be compromised if you lose you mobile phone, or leave it unattended. And, as we have seen with email spam, potentially posts could be spoofed so they appear to have been sent from your account. So there’s also a need for one’s followers to be aware that Twitter posts may not have been sent by the owner of the account.


Twitter conversation from Topsy: [View]

Posted in Twitter | 3 Comments »