Agust 23, 2014
To: Twitter, Inc.
Dear Twitter Support Staff, I’m tired to point out a great threat on Twitter’s way to handle apps and the way support tickets are handled, it looks like you are not listening not even caring about a serious issue you are having with the TweetDeck app.
I work on IT, I have developed some apps for Twitter, I know about security and I know about how the Twitter’s API works, I’m not an easy target for spam, I always double check the web address of any app I authorize, I always read if the app I’m authorizing is in fact the app I choose to authorize and I carefully see which access I’m giving to each app, I’m of the few who take the time review each step, access and permission, but even doing so doesn’t prevent me from authorizing an app that was retweeting tons of spam for 12hrs aprox.
Yesterday someone in my timeline twitted about what has become a trending topic, the “Ice Bucket Challenge”, I watched each celebrity video out of curiosity and entertainment, but this particular link I clicked redirect me to the link to authorize TweetDeck, that was quite unusual, so I reviewed carefully the description of the app, the URL of the app, the access I was giving, nothing unusual, it was a clear authorization for TweetDeck, so I authorize the app and the redirection of the authorization get me to the final destination, a celebrity video doing the “Ice Bucket Challenge”, nothing unusual, but later, when I wasn’t on my desktop computer, many friends on Twitter told me I was making some unusual retweets.
Here is the first huge problem, if you are using any mobile device you CAN’T access the only page where you can revoke access to any app, try yourself: https://twitter.com/settings/applications
So, if by mistake you authorize an unwanted app on your mobile and you want to revoke that access, you can’t until you logon on Twitter using a desktop browser… isn’t that just crazy? It looks very unprofessional and irresponsible, I have reported that issue more than two years ago without getting any real feedback.
So, when my friends on Twitter alert me about the issue, I reviewed my authorized apps and none of them look suspicious, so I ignored my friends advice and went to sleep… Later this Friday I received more tweets telling me about my retweets, that my account has been compromised, so I again reviewed the apps and unauthorized TweetDeck, after reviewing all my actions and authorizations I finally get to the original URL that compromises my account, here is a video on how the exploit works:
[vsw id=”3ctZPgnVx_s” source=”youtube” width=”620″ height=”349″ autoplay=”no”]
I have reported this issue before, I reported the issue Friday, on Twitter’s support and help site, and publicly to the Twitter Support user @Support, but more than 24hrs later the problem is still there.
So, I have some questions…
- Do you care about complains to @Support?
- Have you done something to stop spam attacks like this that use the TweetDeck API access keys and/or impersonate TweetDeck?
- If you force everyone to use you short URL system thinking about security… why is it that the infected URL still working? (https://bitly.com/katyperrybikini+)
So, I hope I can have some feedback from you, that you can forbid any app to use same name, logo, icon and colors, that make an app look-like (impersonate) TweetDeck, that you enable access for mobile users to the Applications settings where you can revoke access to any app, that you can ban the URL which is infecting many users, that you can investigate further what happened and forbid access to the app developers, at the end you credibility and reliability (Twitter) are the two key factor that get most affected.
If you want to see how many people got “infected” just check the stats on the Bit.ly link or take a look how many RTs got on Twitter:
URL Report by Bit.ly: