Comments on: The password anti-pattern and phishing scams: it’s Twitter’s fault

By: Matt

Matt — Mon, 01 Feb 2010 17:06:21 +0000

I’m a big fan of OAuth, but the truth is OAuth will not prevent these problems. OAuth still redirects users to the provider site to enter their username and password. Even though the consumer doesn’t get this data, it still teaches users to expect to be redirected elsewhere to login. So, if the site redirects you to a look-a-like phishing site, you still have a problem.

By: Online Media Managers » Blog Archive » The Curious Case of Twitter and Twply

Mon, 26 Jan 2009 07:01:52 +0000

[...] Twply story is a lesson in many ways (see the discussion about the password anti-pattern here, here, and here), but I going to focus on the interface of the service in [...]

By: Rounding up New Year Week | Padub

Rounding up New Year Week | Padub — Sat, 17 Jan 2009 22:51:56 +0000

[...] and phished Twitter while we were away. Good for Microsoft and Twitter, donâ€™t you think? Aral demanded Twitter to implement oAuth while I pondered about some problems that people will face on [...]

By: The Curious Case of Twply and Twitter - Bokardo

The Curious Case of Twply and Twitter - Bokardo — Fri, 09 Jan 2009 15:08:03 +0000

[...] Twply story is a lesson in many ways (see the discussion about the password anti-pattern here, here, and here), but I going to focus on the interface of the service in [...]

By: Rounding up New Year Week

Rounding up New Year Week — Mon, 05 Jan 2009 15:00:26 +0000

[...] 7 Demo and phished Twitter while we were away. Good for Microsoft and Twitter, don’t you think? Aral demanded Twitter to implement oAuth while I pondered about some problems that people will face on [...]

By: Sravan

Sravan — Mon, 05 Jan 2009 13:54:50 +0000

Yeah, everybody is demanding oAuth and I can see why. There are a few other problems that gullible users can face because of Twitter that I pondered about on http://www.thatdamnpc.com/3-problems-we-will-face-on-twitter/.

By: Aral

Aral — Mon, 05 Jan 2009 13:17:59 +0000

Keith,

I agree that Twitter implementing oAuth would not solve the current phishing scam as it imitates the Twitter homepage. However, you don’t need to go to the extremes of creating a fake twitter site to phish Twitter users today specifically because Twitter does not implement oAuth. All you need to do is create a Twitter app and ask for people’s username and login as per the officially-sanctioned Twitter way of building apps. That’s it. Then use their username and password. Simple.

The truth is that no one knows which Twitter apps actually store users’ passwords and which do not. There may be phishing scams going on right now under the guise of legitimate Twitter apps that we don’t know about.

The only way to know for sure would be to see the source code for the apps to see exactly what they are doing with the username/password information they gather.

So, without oAuth, any Twitter app that asks for your username/password (i.e., any Twitter app that uses authenticated methods in the Twitter API) is a potential phishing operation.

That’s what implementing oAuth would stop.

It would also stop teaching people that it’s OK to give your username and password to third party apps and even to desktop clients.

The only place you should provide your Twitter username and password is Twitter.com.

And yes, people can still get phished by attempts such as the current one that replicate the look and feel of the Twitter web site. Then you can implement things like the cookie-based badges that Yahoo does. None of it is foolproof but implementing oAuth would dramatically reduce the number of available attack vectors for phishing attempts.

By: Mark Armendariz

Mark Armendariz — Sun, 04 Jan 2009 18:39:39 +0000

We’re in full agreement.

Unfortunately, in order to offer the tools Twitter practically begs us to write (by having an API), we HAVE to ask uses for passwords. In Tweeter (facebook app), I try to warn uses not to give us their passwords unless they plan to tweet from Tweeter.

The very Last thing I want to worry about is accepting the passwords of my users which is bad on far too many levels. But it’s the only way I can offer them the tools they’re asking for my using my application.

I really hope Twitter gets on top of this very soon.

Here’s the entry in their bug list. Vote it up:
http://code.google.com/p/twitter-api/issues/detail?id=2

By: Keith Peters

Keith Peters — Sun, 04 Jan 2009 17:33:31 +0000

Also, in all fairness, the particular scam you are referring to really has nothing to do with the api situation (which I agree exists). The phishing page was designed to look exactly like twitter’s home page. So it’s not like users would even think they were supplying their credentials to some third party site and blindly trusting it because so many other apps do that. They would just think they were logging into their twitter account at twitter.com. oAuth would not solve this kind of scheme at all.

By: Keith Peters

Keith Peters — Sun, 04 Jan 2009 17:26:30 +0000

In all seriousness, I know what you are saying, and I agree twitter needs to change this, but I hate the blame game. Twitter rocks. It’s grown all out of proportion to anything anyone imagined, and it’s evolving in an even more rapidly evolving environment. oAuth started in November 2006, half a year after twitter started! They are both in their infancy. How can you berate one for not jumping on the bandwagon of the other? I think it would be great if twitter did use something like this, but worded in a suggestion would be better than an attack.