dinsdag 25 september 2012

Your Twitter ID as a source for Twitter spam

I'm getting more and more spam in my Twitter timeline or in my twitter direct message mailbox. And these tweets come from my own twitter friends. And I'm not alone in this. Many others mention this as well.
Tweets like this: “GET MORE FOLLOWERS MY BEST FRIENDS? I WILL FOLLOW YOU BACK IF YOU FOLLOW ME” or direct messages like “lol ur famous now [link]” will in most cases link to malware infected sites.
And now and then a twitter friend reports that his twitter account was hacked.

I don't believe that this is the case. Accounts don't get hacked easily. Of course a pc could be infected with malware, with keyboard sniffers and password stealers, but apart from that, hacking an account is not that easy. Proof? Even security professionals became the source of twitter spam messages.

If your account was not hacked, how can this spam flood happen?
Tweets defininately come from a trusted person. But since there is no way that you can create a tweet with a faked sender address, these spam messages really come from your friends.
On his blog (http://nakedsecurity.sophos.com/2011/06/23/beware-shortcuts-for-getting-more-followers-on-twitter/) Graham Cluley from Sophos explains how these tweets happen. These tweets come from services that you(!) allowed access your twitter account. And these services may well do other things than you wanted them to.
Twitter can be used as an identity provider. It uses the underlying oauth protocol to authenticate twitter users for different services on the internet. And this feature is not only available on pc's but also on mobile phones. Very practical: if you use your twitter account you don't have to login using a user name and a password. All that is required is that you tell twitter to allow access for the external service. And in fact you allow the external service to post messages on your behalf.
Through this link ( https://twitter.com/settings/applications ) you can check what apps you trust to post on your behalf.

Do you really trust all these apps? My advise: You better revoke all unknown or unused apps. And btw: if I receive a strange tweet from your twitter account, I will use a second channel (like LinkedIn, or mail) to advise you to clean your twitter trusted app list.
Een reactie plaatsen