Twitter and web forgery

Last evening as I was winding down after a long journey imagine my surprise when I started to receive a tsunami of @ replies on my Twitter account. Apparently I was direct messaging a stack of people I don't know with a link to something that starts http://videos.twitter... except it wasn't me. The image above is what you see when the link is clicked (and no, I'm not going to give the link.) This is NOT fun.

Fortunately, Robert Scoble had picked up on what was gong on and sent the message:

@Scobleizer: Don't click links sent to u in DM @dahowlett & many others are being hit ESP ones that start http://video

At the time I wasn't near my iMac or laptop so couldn't realistically review the problem. There are limitations to Tweetie on the iPhone. I did send a Tweet message to @ev screaming HELP!!!!

@dahowlett Holy crap. This hacking thing is teh suck. I'm getting bombed. Anyone who gets DM from 'me' with http://video. IT'S NOT ME @ev? HELP!!!

In time honored fashion I didn't get a reply from anyone at Twitter. Given the nature of the service I didn't expect to. I'm not the only one - see the image below taken from Scoble's account:

Fortunately I've got a number of good pals who contacted me with various suggestions as to how the problem might be solved. The favorite seemed to be a password change. I've no idea how the hack occurred, especially given I used a 10 character alpha-numeric password that Twitter graded as 'good' but it is yet another example how this popular service can catch people out.

Scoble and I may not see eye to eye on a number of topics but I was grateful that he warned people about what's going on. I called him up to see if he could shed light on the problem. Unfortunately he couldn't and, as you can see from his Tweetstream, it doesn't seem to have been addressed publicly by Twitter. Trending articles don't mention it either. However, I did notice that Twitrobot's account has been suspended.

One very helpful suggestion was to ensure the password you use for Twitter is unique to that service. That's something I'd done anyway so it seems that at least one service I use has either been hacked or is being used for less than honorable things. I've since revoked access to several other services.

According to Dan Goodin at The Register, the problem could lie inside OAuth:

"Unless you revoke these [Twitter add-on app] tokens when you change your password, a malicious user will still have access to your twitter account," said [Terence] Eden, who tackles customer usability issues for a large telecommunications company. "Twitter doesn't make that wonderfully clear.

Whatever the problem, it amply demonstrates what can happen when a vendor doesn't police the use of an open API. This is something I've talked about elsewhere, much to the derision of vendors who would like to think I 'don't get it.' I trust they're eating their words. Security matters and a laissez faire attitude to APIs will surely destroy reputation faster than Luke Skywalker's light saber.