If you are a regular Twitter user, you might have noticed that half of the world seems to have become a spy catcher of late. It turns that catching a spy via Twitter is easier than you might think. It also has some consequences for  social capital, information security and general communication noise too.

You are a very fortunate individual if you have escaped the torrent of (somewhat spammy) messages from the spy catcher application. It is doing a rather good, and therefore bad, job of turning Twitter into Facebook – or rather the bad old Facebook of a while ago, with the legendary sheep throwing, pirates, vampires and sea of noise generated by that genre of social applications.

Got You! Via Twitter

The success of Spycatcher is a proof point of another unsettling trend: Notice how easily people hand over their username and passwords to a relatively unknown (and potentially untrusted) third party.

There has been a long term problem with twitter third party applications. The first generation of applications required users to enter their username and password on the third party site, where they were stored, so that the 3rd party could get access to the user’s Twitter stream, to do whatever wonderful things it did. It sounds relatively innocuous, but actually it sets a rather bad precedent. It is referred to as an anti-pattern, a commonly bad solution to a problem. It is bad because it teaches people how to be phished.

From Catching Fish to Helping Phishers

Phishers spend their time trying to get users to hand over password details, so that they can gain access to accounts. Twitter has a bad anti-pattern problem, and it knows it, since the Twitter ecosystem trains users to hand over their security details to third parties. To tackle the issue Twitter has added OAuth to the service. It provides a way for third parties to validate users, without storing the username and password. However, this doesn’t solve the whole problem. People are still handing over passwords. So, back to catching those spies…

Increasingly third party Twitter applications are not only logging in to pull down information, but they are actively sending tweets from users accounts (including @ messages and Direct Messages) on behalf of, and in the name of, the user. And why wouldn’t they? If a developer can get away with using a bit of a user’s social capital to promote their application, they probably will. Spycatcher is a particular case in point.

From Bad to Worse

The annoying messages it tweets are one thing, “captured this”, “assassinated that”, they can be blocked. However, over the weekend things took a turn for the worse when I started getting private direct messages from the people I follow asking me to join. Now, either my friends have suddenly all switched to the same writing style, or these were automated DMs. I’ll let you take your pick.

Twitter direct messages are my most trusted communications channel, since only people I have chosen to follow can send me messages (oh that my mobile phone was the same), and the messages generate alerts in near-real-time. So, when people start spamming me via that channel I sit up and take notice. There is another reason too. Because URLs that arrive via that channel are usually from a trusted human, I tend to trust the links. I shouldn’t of course, and neither should you. Combined with anti-patter behaviours, it is all too easy to receive a DM with a link and a “Benjamin, use your Twitter ID to check your security here” – you can see where that heads. If I was being dozy, 5 minutes later all of the people who follow me would be getting the same message. Injecting malware, or carrying out phishing attacks it all too easy. People need to realise that the twitter stream is part of their on-line identity, and to guard security credentials well. It was a little while back that Britney Spears and Barack Obama had their login details compromised.

What to learn?

  • Don’t hand over your user name and password unless you are 100% sure where they are going, and what will be done with them.
  • Use different passwords for different services. That way any damage should be limited to one service. If your Twitter password is the same as your on-line banking one, fix that quickly!
  • Change your passwords every so often. Yes, I’m sounding like the moaning IT guy, but this does make a difference to your security.

I expect to see more and more applications using the social capital of their users to promote them – that has been the model on Facebook, and now it’s coming to Twitter. As for Spymaster, I’m not sure if it should be called spam master rather than spymaster (if you want to play please turn off the notifications I hate having to unfollow people). I’m surprised their hasn’t been a bigger backlash against it.

Perhaps it is a sign of the shifting user. We have reached the “sheep throwing” phase of the social networking platfrom life cycle. It’ll take it as a sign of Twitter entering adolesence already.