Thursday, 13 November 2008

TwitteRank and Security

image I have seen a lot of talk on Twitter recently following the explosion of a popular tool TwitteRank (at the time of writing, the site appeared to be taken down) and the possibility that it was actually a phishing scam for passwords.

What is TwitteRank?

In short, it’s a tool that produces a “score” based on your Twitter popularity. Reading the FAQ on the site, it offers no insight as to how the number is derived, but it does come up with a number.

There have been plenty of tweets from people broadcasting their rank (this may/will include other messages as it is a pretty generic search term).

So - I Get My TwitteRank, What’s the Best That Could Happen?

Interesting question.. I am thinking:

You get your TwitteRank, all your friends are jealous. Sadly you walk under a bus the next day. You then stand before the big man at the pearly gates who is checking out your rap sheet, he sees your TwitteRank and quickly becomes very apologetic and promptly ushers you to the VIP area. You hang out with some cool (but sadly dead) people drinking and living it up for all eternity.

OK, seriously. At best you get a warm fuzzy feeling that you are popular on a rather large network.

.. Sure, and the Worst?

Well, with your Twitter username and password, your account can be accessed and everything you can do is available. There is strong likelihood that all/some of the following could be captured/performed:

  • Email address.
  • Mobile number.
  • Private/direct messages sent to and from other Twitter users (which could contain personal information for either party).
  • All our friends deleted/blocked.
  • All previous tweets deleted.
  • Horrible messages could be sent to your friends.

The above points got me thinking about some pretty nasty scenarios (knowing how sick some people can be):

  • One of the worse, a fake suicide message.
  • Use of nasty language to friends, possibly damaging relationships or worse, landing you in trouble (e.g. race hate etc). For many people that have a large online presence, this could travel like wildfire and really damage their following.
  • Sending phishing messages. People generally follow people they trust, what would stop you clicking a masked link in a tweet from someone you trust? “Hey Rob, you have to see this [x]”. I know I would click it, you then get sent to a page that bombards you with popups, downloads stuff to machine, etc.

Crap, That Sounds Bad, Now What?

Yes it does, if you have entered your password into TwitteRank, then change it immediately!

It’s times like these that always remind me of a story I heard when I used to work for HSBC:

One a man rings the cards call centre. He says his card has been stolen, and his account emptied. The call centre then query how this is possible, since there is a daily withdrawal cap. He says he has no idea. It turns out the card was flagged as stolen and swallowed the next time it went in to an ATM. Upon arrival of the card to the card centre, they realised the man had etched the PIN into the front of the card. He “always forgot it otherwise”.

Simple answer is, security is there for a reason, NEVER give out your password!

So It’s All My Fault?

No, of course not. The truth is there are people in my network that did the whole TwitteRank thing, and they are smart people. Some of them could absolutely destroy me with their intelligence. However people, YOU should know better!

Blame cannot be shifted entirely on to TwitteRank, YOU gave it your password. Sure, while I may agree that Twitter should support OAuth, I certainly do *not* condone any sort of black hat behaviour. Ryo Chijiiwa, if you DID harvest passwords then you are a real douche bag.

So What Would YOU Do Rob?

I wouldn’t give a crap about things like your popularity score.
YOU and your friends know if you are popular. If you have many followers and a lot of people who engage with you, awesome.

Worry less about you “score” and more about building it.
The time you have spent worrying about being “hacked” you could have been out with a friend for coffee, networking with more people or writing a blog post that makes people think about something.

THINK before doing such things!
When I was asked for my pass on TwitteRank the first thing I asked was WHY? There are many sites that trawl Twitter content, what would access to my account provide over that? What would a score be based on? Does this calculation require access to my account, really?

In my mind, I think popularity would be based on:

  • Number of followers.
  • Number of friends (people you follow).
  • How often you engage with each other.
  • How often you are re-tweeted.
  • How often people link to your blog (interesting challenge with URLS here).

Now, what would a application need for this? Just your Twitter name.

Think people, stay safe.

4 comments:

  1. It's what I've been saying to all my friends.

    At last, somebody that agrees with me!

    ReplyDelete
  2. I saw a few people post twitteranks that really suprised me. In particular, Scott Hanselman.

    You wouldn't think he'd be one to enter login info into some random website after the drubbing he gave the StackOverflow guys for having lax security.

    ReplyDelete
  3. @Mark Biek,
    Thanks for the comment. Funny you mentioned Scott, he was one of the prominent names I had in my mind when writing this. I've not yet had a chance to listen to the podcast with Jeff, so I will check it out.

    ReplyDelete
  4. @Rob

    I'm not much of a .NET guy I haven't listen to Hanselminutes much.

    But the episode with Jeff and the "behind-the-scenes" episode was really interesting.

    It's funny how two groups of developers can have a completely different approach to a project and still get successful outcomes.

    ReplyDelete