I wrote a post a while back titled Your Twitter security is an egg, not an onion, explaining how Twitter only has one front door, like your house, and if you let people in, you let them in – after which they have access to everything, including your Direct Messages.
A few months after that, Twitter finally changed its security model and now it makes a distinction between complete access, or access to the account without Direct Messages
A little bit better, but still a major failure – as just got proven by spammers
http://www.twitterscore.co.uk (intentionally not a clickable link) is the worst crapware site I’ve seen around Twitter so far. In fact, it needs to be destroyed, that’s how bad it is – let me explain.
Twitter lets you authorise other applications via a secure authorisation mechanism called oAuth. The great benefit is that you authorise that application from within your twitter application – no passwords exchanged.
If you change your password (or even username, together called credentials) in Twitter, authorisation in between Twitter and the other application is not modified.
So, not only does the other application have no access to your password, but it also doesn’t need to be kept up to date with your credentials
Now, what happened with this new oAuth? And how did this site take advantage of it? Apparently, Twitter’s new oAuth forces you to decide about access to Direct Messages but that’s it. I thought that was pretty smart but I’ve now changed my mind – here is the authorisation you give away period:
You can see the options:
- Read tweets from your timeline
- Check who you are following, and add new people to that
- Change anything in your profile
- Tweet in your name
- (NOT) “Access” your direct messages
- (NOT) See your twitter password
Now why is this list so very unsatisfactory? For many reasons.
First, if you look at your Twitter web tabs, here is what they give you under Settings:
- Account: user name, email, geo, language, timezone, etc
- Password: neither old Auth nor oAuth ever had access to that
- Mobile: your mobile number and the country it’s used in
- Notifications: email actions upon messages, activity and update events
- Profile: picture, name, location, website, bio, link to FB
- Design: your twitter web background
- Applications: all applications that have access to your Twitter account
and then on the Home page you can tweet, @reply, and view profiles of others, etc.
Next to that there is also a menu item called Profile, one called Messages, and even one called Who To Follow.
Can you match that with the above? No, absolutely not. So, what do we give away when we authorise an application? Simple: everything including full Direct Message access, or everything excluding full Direct Message access
Now take the Facebook permission model, in essence the same: a layered authorisation model where multiple specific premissions have to be granted by the user, with only a very few basic permissions that don’t need authorisation. Better? Way better
So, Twitter, let’s cut this post short please. What have the spammers done? They gained authorisation in the new way, where the application doesn’t even have access to Direct Messages. But:
- They forced everyone to follow @clare2284 who is suspended by now thanks to relentlessly being reported for spam by everyone I told to do so;
- They changed the website in your Twitter bio to point to their website: http://qr.net/fwps (again, not a clickable link on purpose)
- They made you tweet: “OMG I have spent 16:45 Hours on twitter!!, Find out how much time youve spent on twitter http://qr.net/fwps” or something like that, where the number of hours and minutes almost always is fixed
They did all that, with the minimum set of authorisation currently possible in Twitter.
So, you couldn’t have give them less access to your twitter account, yet they did all that.
How to undo all this?
- First, revoke the Access you’ve granted. Go to Twitter web, and your Application Settings: https://twitter.com/settings/applications and Revoke Access to all applications you don’t know of – (you should do this on a two to three-monthly basis anyway)
- Second, go to your profile and fix your website: https://twitter.com/settings/profile
- Third, check who you follow: this spamware application will probably change the default follow now the account has been suspended. If you follow on a normal basis, checking the last 3-5 should be enough
The bot now uses as URL: http://qr.net/fy03
It now forces you to follow: John Colt (please just go ahead and report him for spam, thank you)
This will change on a daily basis and probably even faster. Bots will keep tweeting old and new URLs, and this will become very ugly very soon unless we all stay sharp. Please fix your own account if it got compromised, and help others too. Nothing to be embarassed about, trust me. I’ve been a techy for 30 years, and caught as well…
Twitter, this is just a little guy exploiting your sloppy permission architecture in an immature way. Fix this before someone really hurts the TwitterSphere – let me tell you, it is very, very easy this way.