The password anti-pattern and phishing scams: it’s Twitter’s fault
Unfortunately, asking you for your Twitter username and password is also what many legitimate Twitter applications do, and have been doing, since Twitter apps first hit the scene.
Many people on Twitter, even developers, who should know better, are blaming Twitter application developers for asking users for their login details and thereby "teaching users to get phished". This is a myopic and unfair reaction that places the blame in the wrong place.
The party responsible for perpetuating the password anti-pattern and teaching users to get phished is none other than Twitter itself. Here's why:
The Twitter API only supports HTTP Basic Authentication. In other words, if you want to use the authenticated Twitter API methods in your own application, you have no choice but to implement the password anti-pattern.
And this is not going to change until Twitter rolls out oAuth.
In the meanwhile, stop blaming application developers and start putting the blame (and pressure) where it is deserved and where it can actually result in positive change: The only party that can change this state of affairs is Twitter.
Twitter, you must implement oAuth and you must implement it now.
In the meanwhile, expect more login details to get sold and more phishing attempts.
The The password anti-pattern and phishing scams: it’s Twitter’s fault article by Aral Balkan, unless otherwise expressly stated, is licensed under a Creative Commons Attribution-Noncommercial 2.0 UK: England License.
Subscribe to my blog
arsen
Sandip Saini
Melatonina Melatonine
Ken Simpson
Gabriela Portilla
TJ Downes
Aral, I totally agree with you. It’s just bad practice. It boggles me that Twitter gets away with what it does.
January 4th, 2009 at 6:07 pmKeith Peters
Bad, bad twitter.
http://aralbalkan.com/fof/
January 4th, 2009 at 6:18 pmKeith Peters
In all seriousness, I know what you are saying, and I agree twitter needs to change this, but I hate the blame game. Twitter rocks. It’s grown all out of proportion to anything anyone imagined, and it’s evolving in an even more rapidly evolving environment. oAuth started in November 2006, half a year after twitter started! They are both in their infancy. How can you berate one for not jumping on the bandwagon of the other? I think it would be great if twitter did use something like this, but worded in a suggestion would be better than an attack.
January 4th, 2009 at 6:26 pmKeith Peters
Also, in all fairness, the particular scam you are referring to really has nothing to do with the api situation (which I agree exists). The phishing page was designed to look exactly like twitter’s home page. So it’s not like users would even think they were supplying their credentials to some third party site and blindly trusting it because so many other apps do that. They would just think they were logging into their twitter account at twitter.com. oAuth would not solve this kind of scheme at all.
January 4th, 2009 at 6:33 pmMark Armendariz
We’re in full agreement.
Unfortunately, in order to offer the tools Twitter practically begs us to write (by having an API), we HAVE to ask uses for passwords. In Tweeter (facebook app), I try to warn uses not to give us their passwords unless they plan to tweet from Tweeter.
The very Last thing I want to worry about is accepting the passwords of my users which is bad on far too many levels. But it’s the only way I can offer them the tools they’re asking for my using my application.
I really hope Twitter gets on top of this very soon.
Here’s the entry in their bug list. Vote it up:
January 4th, 2009 at 7:39 pmhttp://code.google.com/p/twitter-api/issues/detail?id=2
Aral
Keith,
I agree that Twitter implementing oAuth would not solve the current phishing scam as it imitates the Twitter homepage. However, you don’t need to go to the extremes of creating a fake twitter site to phish Twitter users today specifically because Twitter does not implement oAuth. All you need to do is create a Twitter app and ask for people’s username and login as per the officially-sanctioned Twitter way of building apps. That’s it. Then use their username and password. Simple.
The truth is that no one knows which Twitter apps actually store users’ passwords and which do not. There may be phishing scams going on right now under the guise of legitimate Twitter apps that we don’t know about.
The only way to know for sure would be to see the source code for the apps to see exactly what they are doing with the username/password information they gather.
So, without oAuth, any Twitter app that asks for your username/password (i.e., any Twitter app that uses authenticated methods in the Twitter API) is a potential phishing operation.
That’s what implementing oAuth would stop.
It would also stop teaching people that it’s OK to give your username and password to third party apps and even to desktop clients.
The only place you should provide your Twitter username and password is Twitter.com.
And yes, people can still get phished by attempts such as the current one that replicate the look and feel of the Twitter web site. Then you can implement things like the cookie-based badges that Yahoo does. None of it is foolproof but implementing oAuth would dramatically reduce the number of available attack vectors for phishing attempts.
January 5th, 2009 at 2:17 pmSravan
Yeah, everybody is demanding oAuth and I can see why. There are a few other problems that gullible users can face because of Twitter that I pondered about on http://www.thatdamnpc.com/3-problems-we-will-face-on-twitter/.
January 5th, 2009 at 2:54 pm