That was a rather short version of the original tweet, including my comment. It led to a few other tweets, and my general awareness that people really don’t think straight in this case. I think gullible is the right word.
Behold the picture above: it is an example of a third party application asking to have access to your Twitter account. The beautiful oAuth architecture allows to do so without giving up your username and / or password to that same third party application – but it ends there.
If you allow someone access to your house, what do you think that means? There’s only one front door, right?
If you allow someone, e.g. from the help desk, access to your PC, what do you think that means? There’s only one PC there, right? And you’re both talking about the same one? Check.
Maybe your house has doors that are permanently locked, and the key is not in sight or conveniently under the door mat.
Maybe your PC has encrypted files or directories you can’t access without every single time having to enter your 64-bit 72 character long illegible and secret password.
Highly likely, none of that applies to you. Your house is an egg, and not an onion, and so is your PC. In security models, an egg, with its very hard shell, represents a single barrier between the inside and the outside, that is very hard and tough – but once you’re in, you’re in. Another model is the onion, with its many layers, that represents multiple barriers between the inside and the outside, which are soft and relatively easily to penetrate but they come in large numbers – once you’ve made it through the first one, you only have access to a small part of the entire inside.
Twitter is an egg, not an onion. And you knew that already but only assumed it wasn’t.
How much room for interpretation is left by the exemplary screenshot above? It is asking to be allowed access. Regardless of your thoughts, feelings, assumptions, what does it say really? It is asking for access.
What kind of access, really? Well, just access.
How many types of access to your Twitter account do you know of, really? Come on know, you can do it – yes, yes?
That’s right, only one type of access to your Twitter account that you know off. You enter your username and password, access your account, and you have full control.
So. What makes you think this type of access is any different?
I’ll allow for one excuse: seriously lousy application development over the last decade has made us all message-fatigued. Even business users read none of the messages they get from an application, they just click their way through. Still, it’s them who do so
Pay attention to the messages you’re getting: trust me, it pays off in the end.