Caught by a Spy – Easier Than it Sounds
If you are a regular Twitter user, you might have noticed that half of the world seems to have become a spy catcher of late. It turns that catching a spy via Twitter is easier than you might think. It also has some consequences for social capital, information security and general communication noise too.
You are a very fortunate individual if you have escaped the torrent of (somewhat spammy) messages from the spy catcher application. It is doing a rather good, and therefore bad, job of turning Twitter into Facebook – or rather the bad old Facebook of a while ago, with the legendary sheep throwing, pirates, vampires and sea of noise generated by that genre of social applications.
Got You! Via Twitter
The success of Spycatcher is a proof point of another unsettling trend: Notice how easily people hand over their username and passwords to a relatively unknown (and potentially untrusted) third party.
There has been a long term problem with twitter third party applications. The first generation of applications required users to enter their username and password on the third party site, where they were stored, so that the 3rd party could get access to the user’s Twitter stream, to do whatever wonderful things it did. It sounds relatively innocuous, but actually it sets a rather bad precedent. It is referred to as an anti-pattern, a commonly bad solution to a problem. It is bad because it teaches people how to be phished.
From Catching Fish to Helping Phishers
Phishers spend their time trying to get users to hand over password details, so that they can gain access to accounts. Twitter has a bad anti-pattern problem, and it knows it, since the Twitter ecosystem trains users to hand over their security details to third parties. To tackle the issue Twitter has added OAuth to the service. It provides a way for third parties to validate users, without storing the username and password. However, this doesn’t solve the whole problem. People are still handing over passwords. So, back to catching those spies…
Increasingly third party Twitter applications are not only logging in to pull down information, but they are actively sending tweets from users accounts (including @ messages and Direct Messages) on behalf of, and in the name of, the user. And why wouldn’t they? If a developer can get away with using a bit of a user’s social capital to promote their application, they probably will. Spycatcher is a particular case in point.
From Bad to Worse
The annoying messages it tweets are one thing, “captured this”, “assassinated that”, they can be blocked. However, over the weekend things took a turn for the worse when I started getting private direct messages from the people I follow asking me to join. Now, either my friends have suddenly all switched to the same writing style, or these were automated DMs. I’ll let you take your pick.
Twitter direct messages are my most trusted communications channel, since only people I have chosen to follow can send me messages (oh that my mobile phone was the same), and the messages generate alerts in near-real-time. So, when people start spamming me via that channel I sit up and take notice. There is another reason too. Because URLs that arrive via that channel are usually from a trusted human, I tend to trust the links. I shouldn’t of course, and neither should you. Combined with anti-patter behaviours, it is all too easy to receive a DM with a link and a “Benjamin, use your Twitter ID to check your security here” – you can see where that heads. If I was being dozy, 5 minutes later all of the people who follow me would be getting the same message. Injecting malware, or carrying out phishing attacks it all too easy. People need to realise that the twitter stream is part of their on-line identity, and to guard security credentials well. It was a little while back that Britney Spears and Barack Obama had their login details compromised.
What to learn?
- Don’t hand over your user name and password unless you are 100% sure where they are going, and what will be done with them.
- Use different passwords for different services. That way any damage should be limited to one service. If your Twitter password is the same as your on-line banking one, fix that quickly!
- Change your passwords every so often. Yes, I’m sounding like the moaning IT guy, but this does make a difference to your security.
I expect to see more and more applications using the social capital of their users to promote them – that has been the model on Facebook, and now it’s coming to Twitter. As for Spymaster, I’m not sure if it should be called spam master rather than spymaster (if you want to play please turn off the notifications I hate having to unfollow people). I’m surprised their hasn’t been a bigger backlash against it.
Perhaps it is a sign of the shifting user. We have reached the “sheep throwing” phase of the social networking platfrom life cycle. It’ll take it as a sign of Twitter entering adolesence already.
All true and good advice but Spymaster doesn’t require you to hand over your username and password!? It uses Twitters new oAuth authentication.
It does indeed, although that makes my point about OAuth not fixing the problem completely. It is better, but how many users can tell the differences between OAuth and a good Phishing set up?
Nothing at all but that doesn’t make people work better, just scares them away from using all technology.
IMHO the first part of security is having the audit trail in place so that if/when something happens you can track it, trace it and put the relevant fixes in place.
You are right, that oAuth doesn’t fix anything at all but it does give you MUCH finer detail on what, when and where a bad apple is.
Currently if a bad app goes rogue and starts spamming, Twitter (the company) has to go through everyone’s feeds deleting the spam messages and resetting users passwords. They may block the spammers IP address but the spammer still has usernames and password and moves around until they get board. you can see evidence of that on @twitter.
With oAuth they just ban the oAuth ID and problem fixed.
oAuth doesn’t fix everything, apps will still go rogue but I would rather play with fun apps than none at all 🙂
Phishing is much more secure through oAuth than username & password. By default you must go to Twitter to authenticate the oAuth details, sure you can send then to a fake twitter page with oAuth details but then you won’t have real access to their twitter account and so is pointless.
I didn’t mean to be that harsh on oAuth – it is much better than what people were doing before. It has the added advantage that you don’t have to continually re-authenticate, and the way most people implement it, it is fairly straight forward to go in and “unauthenticate” an application – very good point that Twitter can also do this themselves. I love the way that Flickr handles the process in their user interface. FireEagle also had an interesting model, in that you could access the thirdparty apps from the FireEagle site. A looser version of the Apple Store model (where applications are vetted, give or take the occasional accidental bit of baby shaking).
With my old enterprise hat on, I’d agree with you about audit trails, but here’s the problem with social media: You can do massive damage in just a few seconds (see the Britney episode), and fixing the problem afterwards doesn’t help. For “brands” – i.e. companies with value in their name, beyond just their products – this is a huge issue (or at least it should be). Many of the people running social media activities for them don’t have the benefit of an information security background – we are uniquely encumbered from that point of view 😉 – and use the third party tools to follow people back etc. Quite worrying.
It is going to be an interesting new phase for Twitter, which has blended the work and personal lines more than any other social app so far. How trusted are messages from it? Is it for games? Is it for person to person communication? People use it for both, but applications like Spycatcher are going to cause friction between some sets of users!