Avoid TwitViewer Phishing: Use OAuth-Friendly Apps
By David Murphy
It came across my Twitter feed in the early morning, a sea of users all sending the same message: “Want to know whos stalking you on twitter!?: http://TwitViewer.net.”
The site, whose domain was registered today through an Arizona proxy service, promises a photo-gallery-like display of the last 200 people that came to your Twitter page. The cost for this service? Nothing, save for your Twitter user name and password. The catch? You just gave up your Twitter authentication credentials to a site you know nothing about. Proving this point, the site automatically sends the aforementioned message through your Twitter account sans permission and auto-follows you to the Twitter accounts of any of the random photos you click on–people who you’re led to believe visited your account.
Twitter itself now recommends that users who signed up for the “service” change their passwords. But it’s not like this suggested scam was unavoidable in the first place. In fact, there are two large barriers between you and any scamming site on Twitter: Your brain and OAuth.
It’s worth doing a little background research before you blindly toss away your primary login credentials to any Twitter-themed Internet service (or anything on the Internet, for that matter). Does the site looklegitimate? Your gut feelings might be more accurate than you first think. Is what the site’s offering even physically possible? I can’t think of way that a third-party site, using only your Twitter login and password, would be able to track other Twitter users that have clicked on your Twitter page.
As for OAuth, this is an authentication protocol for desktop and Web applications that’s designed to keep your login credentials secure from third parties. Applications that support OAuth don’t ask you for your user name or password directly. Instead, they send a request to Twitter and ask it for permission to access your account.
Instead of logging into a third party to deal with this request, you sign into your Twitter account through Twitter’s trusted servers as you normally would. The actual handshake for permissions takes place through Twitter. Once you’ve given the application access to do whatever, Twitter generates an access key for the app that can be configured based on varying levels of access or time. You control the approval process and terms, and you can even remove an application’s permissions after-the-fact.
Not all desktop and Web applications currently support OAuth, but it’s a far more secure method of giving third-parties access to your account than simply sending over your user name and password. If you have to do the latter, make sure that you implicitly trust the site to hold this information–and your account–in confidence. The TwitViewer situation affected even some of the more Net-savvy folk on Twitter: Don’t let it happen to you!