Since Twitter first became popular enough to attract crooks and scammers, phishing has been a consistent problem.
Generally, Twitter phishing looks like this: First, you get a direct message linking you to some site for some reason. Next, you login into this third-party site using your Twitter credentials. Finally, everyone in your Twitter stream gets sent the same message you got spreading the scam into infinity.
These scams were enabled by the fact that Twitter users have grown comfortable logging into other sites and tools using their Twitter credentials. This is because, in an effort to make its service more useful, Twitter has had a very open policy for third-party developers.
Thankfully, most of these scams have not result into much direct harm for users. Sean in the F-Secure Labs suggested that the main purpose of phishing was to create trending topics/trending terms to improve SEO attacks.
Back in April, I suggested a draconian way of avoiding Twitter phishing: never click on any links. Thankfully, that became less necessary as Twitter’s increasingly effective filtering of shortened links has helped to minimize these attacks.
And here comes a real change for the better. As of August 16, 2010, you will not be able to use your login and password to login into Twitter using any site but Twitter.com. Any third-party site that you want to use has to connect to your Twitter account directly using the OAuth procedure.
This means Twitter can say to the world, don’t log into Twitter unless you’re on Twitter. And if users listen, Twitter phishing will be history. Just a little change, but a step in the right direction.
Image by Carrot Creative.
To commemorate F-Secure’s 30th year of innovation, we’re profiling 30 of our fellows from our more than…
July 12, 2018