About Twitter bots and app access...
Recent reports about a hijacked Twitter account have led me to this little explanation on the "why" and "how" that has worked.
Let's assume user "A" is using Twitter in a typical end-user kind of way. I.e. they have a password that is either easy to guess or they have some malware installed on their devices (not limited to Windows anymore guys!) and the account gets compromised. What happens next?
The malware/bot logs in to the account. Nothing that anybody would recognize as illegit activity. It then authorizes an "application" (i.e. itself!) to access the account. And that's about it for the password part. Because once an app is authorized, it can access the twitter account with that "authorization token" without providing user credentials. It's how all those nifty "integrate with Twitter" thingies work. That is also not limited to Twitter, just about any social site that allows "apps" access to your data works like this. Some people compare it to sort of a "spare key" to your account that you hand out. But it's more: it's actually a new door for the app that you create. It has a key ("token") but changing your primary key - your password - doesn't change anything on that additional door.
Now that the bot has basically unconstrained access to the account "A", it can start spreading spam... but wait! If it just posts something to the public timeline, the user "A" will realize that pretty quick and shut it down. So, sneaky sneaky, it just starts following as many people it can without arousing suspicion. And the easiest way to do that is that nifty little list that Twitter offers: "Who to follow". The bot can see that list too (I don't know if there's an API for it, but it can certainly scrape it from the HTML). What happens next? Well, the fact that user "A" is following certain accounts will lead to even more suggestions for similar accounts for user "A". In this case: even more members of the furry community...
Following many people isn't a cause for alarm for most users either and some might not even notice that at all.
But why?
Here's where "social engineering" comes into play. Many people just see a follow or follow request from a person that they seem to identify with (again, Twitter is pretty good at matching people's interest for 'who to follow') and just blindly "follow back" that person. And here we go: once user 'B' (a.k.a. the "target") follows user 'A', the bot can send a direct message. And direct message spam is much more efficient than public message spam. After all, somebody you "know" has told you to invest in a 3rd world prince, right?
This is a detaild explanation of what I think happens and just how twisted some plans are. I may be a tad bit off in some details, but overall I'm sure it's just like that. And it's a good example of just why you need to keep your accounts under watch. To me as a tech-guy it would be a nice service to have a log of invalid AND valid login attempts to your account, INCLUDING IP-Address details. I don't think hacking attempts fall under privacy laws anywhere... And I would like to know if (successful!) attempts are made to abuse my account. It doesn't help to see only invalid attempts either... like my e-mail provider shows me: "7 invalid logon attempts". Great. Does that mean they gave up after the 7th or does that mean they guessed right at the 8th time? I WANT TO KNOW IF I NEED TO CHANGE MY PASSWORD!
Let's assume user "A" is using Twitter in a typical end-user kind of way. I.e. they have a password that is either easy to guess or they have some malware installed on their devices (not limited to Windows anymore guys!) and the account gets compromised. What happens next?
The malware/bot logs in to the account. Nothing that anybody would recognize as illegit activity. It then authorizes an "application" (i.e. itself!) to access the account. And that's about it for the password part. Because once an app is authorized, it can access the twitter account with that "authorization token" without providing user credentials. It's how all those nifty "integrate with Twitter" thingies work. That is also not limited to Twitter, just about any social site that allows "apps" access to your data works like this. Some people compare it to sort of a "spare key" to your account that you hand out. But it's more: it's actually a new door for the app that you create. It has a key ("token") but changing your primary key - your password - doesn't change anything on that additional door.
Now that the bot has basically unconstrained access to the account "A", it can start spreading spam... but wait! If it just posts something to the public timeline, the user "A" will realize that pretty quick and shut it down. So, sneaky sneaky, it just starts following as many people it can without arousing suspicion. And the easiest way to do that is that nifty little list that Twitter offers: "Who to follow". The bot can see that list too (I don't know if there's an API for it, but it can certainly scrape it from the HTML). What happens next? Well, the fact that user "A" is following certain accounts will lead to even more suggestions for similar accounts for user "A". In this case: even more members of the furry community...
Following many people isn't a cause for alarm for most users either and some might not even notice that at all.
But why?
Here's where "social engineering" comes into play. Many people just see a follow or follow request from a person that they seem to identify with (again, Twitter is pretty good at matching people's interest for 'who to follow') and just blindly "follow back" that person. And here we go: once user 'B' (a.k.a. the "target") follows user 'A', the bot can send a direct message. And direct message spam is much more efficient than public message spam. After all, somebody you "know" has told you to invest in a 3rd world prince, right?
This is a detaild explanation of what I think happens and just how twisted some plans are. I may be a tad bit off in some details, but overall I'm sure it's just like that. And it's a good example of just why you need to keep your accounts under watch. To me as a tech-guy it would be a nice service to have a log of invalid AND valid login attempts to your account, INCLUDING IP-Address details. I don't think hacking attempts fall under privacy laws anywhere... And I would like to know if (successful!) attempts are made to abuse my account. It doesn't help to see only invalid attempts either... like my e-mail provider shows me: "7 invalid logon attempts". Great. Does that mean they gave up after the 7th or does that mean they guessed right at the 8th time? I WANT TO KNOW IF I NEED TO CHANGE MY PASSWORD!