Your Twitter Account Has Been Hacked... And *You* Are To Blame?

[Paul Hancox]

Hi Folks

OK, this has been on my mind for a while now. What I'm about to say isn't
going to be popular with some people - but I've got to say it, anyway!

Andy Beard recently posted on his blog about the spate of new tools and
"viral" scripts that require your Twitter (or Gmail) password in order to
use it.

He is seriously concerned about the security risks - and quite frankly, so
am I.

Now, please understand... my problem IS NOT so much with the scripts
themselves. Most of them claim NOT to store the password provided by
the visitor, and I have no doubt those claims are true.

Here's my problems with them... Let me paint you a picture:

Jo is a scammer. He sets up a perfectly legitimate looking site, offering
internet marketers a load of bonus products for free, in exchange for their
Twitter username and password.

He provides a form, using a recognizable viral Twitter tool, and you type
in your details, because you trust the tool.

Unfortunately for you, Jo is NOT really using the actual tool, but simply a
form which LOOKS LIKE IT.

You have just given Jo the scammer your Twitter password. Oops. 10 days
later (when you've likely forgotten which site(s) you've used to collect all
kinds of cool bonuses... your Twitter account is suddenly hijacked.

You don't know why. But Jo does.

You gave him the keys.

That is my problem.

If Jo hacks into your account, aren't you at least partly to blame because
you gave him your password?

As people become more accustomed to doing this (i.e. giving out their
Twitter password), surely they're increasing the chances they will bump
into an unscrupulous person like Jo on the Internet.

Of course, that means you should only give it out to sites that you trust.

The problem there is, many people don't follow this - they give it out to all
kinds of sites because they want the bonus or convenience being offered.

That is why, personally speaking, I will almost never give my Twitter
password out to ANY site. If I HAVE TO, I will temporarily change my
password first, and change it back again when I've finished.

In fact, I am in the middle of writing a viral tool for Twitter that does NOT
require anybody's password - partly because I'm a capitalistic Warrior, but
partly because I'm getting pretty worried by the growing trend for scripts
and forms that ask for passwords...

... quite frankly, it's got to stop! (In my humble opinion, of course.)

So how do you feel about this issue?

As I said at the outset, I don't think this is going to be a popular
viewpoint, because an increasing number of marketers are using such
scripts and plug-ins.

I have no doubt the people using them are honest. BUT... could this
increasing number of people be conditioning the market to do something
they shouldn't be doing, i.e. giving out passwords to their accounts?

[bizarizona]

It seems many of those sites are finally getting on the Oauth bandwagon. Most of them haven't been because Twitter was dragging their heels.

I don't know much about Twitter marketing tools, but I do use a few Twitter tools to manage my Twitter horde. Just in the past week I've seen almost every other Twit tool out there finally adding the secure login.

I think it's good practice to change your password very regularly anyway.

[Paul Hancox]

Great reminder about changing passwords. As for secure login, isn't it interesting... most people would *insist* on Gmail or Twitter themselves having a secure login facility, yet they may happily give their password out through an UNSECURE form on somebody's site! :O

[Tyrus Antas]

There is no real reason to require passwords. All developers can use the OAuth api in which users are required to give manual permission for a website to access their account while not needing to give away their password:
Twitter API Wiki / OAuth FAQ

Tyrus

[AndyBeard]

You know you can always trust warriors, so we are going to do a little experiemnt

Please post below your real:-

Gmail username & password

Twitter username password below


No?


Ok send them to me in a PM, you know you can trust me with the keys to your business

All those domain registrations
Hosting accounts
Adsense
Adwords
Paypal....

Still no?

So why would you trust anyone running an invite script on a poorly secured shared server, running GPL scripts which have security holes patched every week?
I think Paul's scenario is actually less likely, because there is that trust barrier. Much better to find someone who is trusted and hack their server.

Maybe they are even using the script as part of their affiliate promotions - you can get paid to send traffic to a hacked script, and collect all the details for your own devious plans.

Security holes?

As an example, I could look for anyone running old Wordpress versions, especially if they are using WordPress as a membership site, or maybe some of the scripts sold in the WSO section that have been knocked together by freelancers or are not much better than alpha.

Just at random I checked one site, saw it was WP 2.61

Googled Zero day Wordpress 2.61

Lots of security warnings advising upgrades to 2.62

The fun part is if someone hacks one script, they can potentially gain access to not just the hosting account, but the whole server.

The most dangerous part which Paul highlighted brilliantly is the psychological effect - you become accustomed to handing these things out, as if it is the same as an email address.

People have made fortunes selling you viral tell-a-friend scripts which are a liability, and there have been solutions to make them safe for 9 months.

[Darrel Hawes]

People need to be vigilant about phishing schemes.

One helpful tool I've used is McAfee Site Advisor.

[ladyshadowrider]

Here's a true story that happened to me recently.

Someone I trust posted on a private forum asking for people to test out a retweet plugin he'd just installed on his blog. Since he was someone I've known online for several years, I went to his blog and tried it out by entering my login info into the form to retweet his blog post.

Within a couple of days I started getting 5, 10, 15 new followers, which I thought was pretty cool, at first.

When I went into my twitter account, I discovered that several of my most recent tweets were gone and that every new follower (most of which was twitter spam) had somehow gotten my account to automatically follow them!

I immediately changed my password and began clearing out the spam. Haven't had any problems since, so can only "assume" the retweet plugin was the culprit.

It could have been worse and I'm sure the guy who's blog I retweeted had no idea that this would happen.

So, not only should we be careful about where we enter our login info, but we need to be careful about the twitter tools we use on our sites.

HTH,
Tamara

[AndyBeard]

Darrel, McAfee isn't going to help you if the site is owned by one of your clients who you trust

The site is exactly who they claim to be, they are not installing anything on your system, just asking for your details in exchange for a bonus.

But unknown even to the site owner, someone might have hacked their way into WordPress, maybe through an insecure plugin.

That in itself isn't a major problem, there are daily backups, if it happens it is forgivable, even if the hacker gained access to email addresses.

The hacker might also get hold of one Twitter account, because most Twitter plugins store passwords in the MySQL database.

But why raid the pantry when there is a huge stack of gold in the next room, a simple form, asking someone to tell their friends about the site in exchange for an exclusive additional bonus.

The hacker just modifies 2 lines of code, and instead of functioning just as a TAF script, it also stores all the data somewhere, or immediately sends it to another server and database, or sends it by email to an anonymous email address.

[Steven Fullman]

Quote:

Originally Posted by Paul Hancox

If Jo hacks into your account, aren't you at least partly to blame because
you gave him your password?

Partly to blame?

What are you, Paul...some kind of...ohhh...this stuff makes me come out in goddamned HIVES...Blame?

I'm not partly to blame for any of it.

AT ALL.

No.

I'm completely at fault for giving away my details to an untrusted source.

It's MY fault.

And YOURS if you do the same.

Nice post, you brummie *******

...Joke...

That reminds me (or have you induced me...), I must catch up on Video #3...

...And talking of hypnosis...have you seen the Awareness Test?

Cheers,
Steve

[Mary Green]

I agree with your comments about twitter tools. I get uncomfortable having to put in my password as well. I am looking forward to the twitter tool you are making, you should start a list of people to send it to.

Mary Green

[stevenh512]

Of course, if you give out any of your passwords and your account gets "hacked" (I consider that more a "social engineering" exploit than an actual hack, but let's not argue semantics here lol), it's your own fault. We've all been told by every website we've ever signed up for since we got online (banks, email accounts, forums, membership sites) to keep our passwords safe.

That being said, I think at least part of the blame here has to be put on Twitter for releasing an API that required username and password for authentication. They have OAuth now, but it's too late, the damage has been done. All these dozens of scripts are already out there "in the wild" asking for people's Twitter username and password. Even if the authors of these scripts upgrade them to use OAuth, that doesn't guarantee that the sites who already have the scripts up and running are going to upgrade them, so no matter what you'll still have sites "training" people to freely give out their Twitter password in exchange for some cheap ebooks or a promise of "thousands of followers in a month" or whatever the case may be. At this point the only way to solve the problem (since people will continue entering their password as long as these sites exist) is for Twitter to completely eliminate username/password authentication in their API and require all apps to use OAuth.

[Carl Pruitt]

Given the ingenuity hackers have always possessed, our online security is tenuous enough without leaving the doors unlocked.

I've been almost as concerned with the glut of different FB apps and other services wanting my email password to bring in my contacts. I choose not to participate in that, but quite a lot of information is revealed to FB apps when your friends allow them access. Information which could help enable hackers to guess passwords. (Hint: don't use any combination of the elements of your birthdate in any passwords.)

[Eric Lorence]

Maybe 20% of the ones reading this thread, and newbie webmasters in general, have any understanding of web security... GPL? SQL? wad dat?

I fully agree with Andy, some of the most "trusted" sites pose the most risk... Gmail??

You almost need to have a "throw away" identity to use online anymore.

And maybe that site owner did have every intention of stealing your Twitter account (hypothetically), how well can you ever know them?

[AndyBeard]

Steven, Twitter certainly can be blamed in part, but remember that many of these applications just want your password to send a tweet, not check who you follow, add follows etc.
Verification that you sent a tweet can be achieved just by monitoring your timeline or a #hashtag, and you can be required to follow an account to receive an DM.

With Tell A Friend scripts, the APIs for Google, Yahoo and MSN have been around for 9 months or so. It has taken some large sites a long time to implement them, but there are also services that provide ready made drop in code.

Plus there is no real need to use APIs anyway, all major services support mailto: with encoded email title and body contents, and you can provide a unique tracking link for each person, passing through a separate domain.
Then the user is really using their own email system to send the email to their friends.

[stevenh512]

Quote:

Originally Posted by AndyBeard

Steven, Twitter certainly can be blamed in part, but remember that many of these applications just want your password to send a tweet, not check who you follow, add follows etc.
Verification that you sent a tweet can be achieved just by monitoring your timeline or a #hashtag, and you can be required to follow an account to receive an DM.

There's no need to get someone's Twitter password just to send a tweet, but you're right, a lot of the "viral" scripts do ask for a password just to do something that could just as easily be done with a standard HTML link.

If I want to verify (through the API) that someone actually sent a tweet from my website, for example to give them a "gift" for tweeting something, I can do that by putting @myname somewhere in the tweet and having my script log into the API through my own Twitter account to check my @replies. I wouldn't need the end-user's Twitter password at all, just their user name.

Twitter has to take some of the blame for the problem here because of the way they designed their API.. but the same can be said for the authors of some of these viral scripts that use the API in ways that aren't really necessary to accomplish whatever the script needs to do. But ultimately, like I said before, if you give out your password to anyone and your account gets hacked it's your own fault, you should know better.

[Darrel Hawes]

Andy,

Thanks for the clarification. I clearly need to understand this issue better.

But Site Advisor is still a good first line of defense against "known" phishing sites that might not be immediately obvious to the casual web surfer.

Quote:

Originally Posted by AndyBeard

Darrel, McAfee isn't going to help you if the site is owned by one of your clients who you trust

The site is exactly who they claim to be, they are not installing anything on your system, just asking for your details in exchange for a bonus.

But unknown even to the site owner, someone might have hacked their way into WordPress, maybe through an insecure plugin.

That in itself isn't a major problem, there are daily backups, if it happens it is forgivable, even if the hacker gained access to email addresses.

The hacker might also get hold of one Twitter account, because most Twitter plugins store passwords in the MySQL database.

But why raid the pantry when there is a huge stack of gold in the next room, a simple form, asking someone to tell their friends about the site in exchange for an exclusive additional bonus.

The hacker just modifies 2 lines of code, and instead of functioning just as a TAF script, it also stores all the data somewhere, or immediately sends it to another server and database, or sends it by email to an anonymous email address.

[Paul Hancox]

Quote:

Originally Posted by AndyBeard

I think Paul's scenario is actually less likely, because there is that trust barrier. Much better to find someone who is trusted and hack their server.

Andy, you're right about the "trust barrier", although that might go out of the window for many people if the bonus being offered is good enough ... at least for the viral scripts.

On the other hand, if the trust isn't there, then it makes one wonder about the usefulness of such "viral" scripts.

As you pointed out in your blog post, requesting the password is (in viral marketing terms) FRICTION at the best of times.

But if the "trust barrier" stops people from using that viral form altogether, it's not even friction... it's a BRICK WALL

Quote:

The most dangerous part which Paul highlighted brilliantly is the psychological effect - you become accustomed to handing these things out, as if it is the same as an email address.

Yes, and that's the key... a password is not an email address. It's the KEY to your car, or house.

You might give a person your address (maybe to post you a letter), but would you give them the keys to your house?

[Paul Hancox]

Quote:

Originally Posted by Eric Lorence

And maybe that site owner did have every intention of stealing your Twitter account (hypothetically), how well can you ever know them?

Precisely. Also, can the script itself be altered by the site owner so that it *can* store the visitor's password? That's a question I'd ask if I was using such a script.

[sellingonline]

Paul, I just wrote a long reply giving information on how to "go around" some of those tools and after writing thought it would be good to make it a single thread to get more people to see it - thanks for bringing this issue up (I linked to this thread from there too) - it's a serious problem & something I truly care about.

Here the posting:

[Voting included] Weapon/Security against *Viral Tweets* & similar password-sucking "twitter-tools"

And no, I never ever EVER give out passwords on sites other than the original site - that would indeed be like giving away a CC-PIN and who would do that to "get a free report" or "watch a sales video"?? Who?? Exactly

[sbucciarel]

Quote:

Originally Posted by Paul Hancox

I have no doubt the people using them are honest. BUT... could this increasing number of people be conditioning the market to do something
they shouldn't be doing, i.e. giving out passwords to their accounts?

lol .. I don't take Twitter seriously enough to worry about getting hacked. I'd just create a new account. It's not like I've got a Problogger or Oprah Winfrey account. Just a lame old twitter account that I barely use.

[dsmpublishing]

I have come across a lot of fakes on twitter and as a result the only tool ive handed out my password to is tweetlater and tweetmyblog via my blog to automate my blog posts.

That is it the rest of them i dont know enough to risk my followers over.

But thats not the risk - think of the ebay days......

how long before you get conned by joining a fake phlishing site or get what you think is an email from twitter but its fake and you hand over the details without thinking the next day your account isnt accessible and youve just spammed your followers!!!

kind regards


sam
X