Aral Balkan: Historical Archive — The password anti-pattern and phishing scams: it's Twitter's fault

The password anti-pattern and phishing scams: it's Twitter's fault

Twitter is aflame with tweets from users warning each other via retweets about a phishing scam that's currently underway. The scammers are sending DMs to Twitter users that read "hey! check out this funny blog about you..." and contain a link to a site that asks you to log in with your Twitter username and password.

Unfortunately, asking you for your Twitter username and password is also what many legitimate Twitter applications do, and have been doing, since Twitter apps first hit the scene.

Many people on Twitter, even developers, who should know better, are blaming Twitter application developers for asking users for their login details and thereby "teaching users to get phished". This is a myopic and unfair reaction that places the blame in the wrong place.

The party responsible for perpetuating the password anti-pattern and teaching users to get phished is none other than Twitter itself. Here's why:

The Twitter API only supports HTTP Basic Authentication. In other words, if you want to use the authenticated Twitter API methods in your own application, you have no choice but to implement the password anti-pattern.

And this is not going to change until Twitter rolls out oAuth.

In the meanwhile, stop blaming application developers and start putting the blame (and pressure) where it is deserved and where it can actually result in positive change: The only party that can change this state of affairs is Twitter.

Twitter, you must implement oAuth and you must implement it now.

In the meanwhile, expect more login details to get sold and more phishing attempts.

Comments

Aral, I totally agree with you. It's just bad practice. It boggles me that Twitter gets away with what it does.
by TJ Downes on 2009-01-04 17:07:18
Bad, bad twitter. http://aralbalkan.com/fof/ :)
by Keith Peters on 2009-01-04 17:18:24
Also, in all fairness, the particular scam you are referring to really has nothing to do with the api situation (which I agree exists). The phishing page was designed to look exactly like twitter's home page. So it's not like users would even think they were supplying their credentials to some third party site and blindly trusting it because so many other apps do that. They would just think they were logging into their twitter account at twitter.com. oAuth would not solve this kind of scheme at all.
by Keith Peters on 2009-01-04 17:33:31
Yeah, everybody is demanding oAuth and I can see why. There are a few other problems that gullible users can face because of Twitter that I pondered about on http://www.thatdamnpc.com/3-problems-we-will-face-on-twitter/.
by Sravan on 2009-01-05 13:54:50
[...] 7 Demo and phished Twitter while we were away. Good for Microsoft and Twitter, don’t you think? Aral demanded Twitter to implement oAuth while I pondered about some problems that people will face on [...]
by Rounding up New Year Week on 2009-01-05 15:00:26
Keith, I agree that Twitter implementing oAuth would not solve the current phishing scam as it imitates the Twitter homepage. However, you don't need to go to the extremes of creating a fake twitter site to phish Twitter users today specifically because Twitter does not implement oAuth. All you need to do is create a Twitter app and ask for people's username and login as per the officially-sanctioned Twitter way of building apps. That's it. Then use their username and password. Simple. The truth is that no one knows which Twitter apps actually store users' passwords and which do not. There may be phishing scams going on right now under the guise of legitimate Twitter apps that we don't know about. The only way to know for sure would be to see the source code for the apps to see exactly what they are doing with the username/password information they gather. So, without oAuth, any Twitter app that asks for your username/password (i.e., any Twitter app that uses authenticated methods in the Twitter API) is a potential phishing operation. That's what implementing oAuth would stop. It would also stop teaching people that it's OK to give your username and password to third party apps and even to desktop clients. The only place you should provide your Twitter username and password is Twitter.com. And yes, people can still get phished by attempts such as the current one that replicate the look and feel of the Twitter web site. Then you can implement things like the cookie-based badges that Yahoo does. None of it is foolproof but implementing oAuth would dramatically reduce the number of available attack vectors for phishing attempts.
by Aral on 2009-01-05 13:17:59
[...] Twply story is a lesson in many ways (see the discussion about the password anti-pattern here, here, and here), but I going to focus on the interface of the service in [...]
by The Curious Case of Twply and Twitter - Bokardo on 2009-01-09 15:08:03
In all seriousness, I know what you are saying, and I agree twitter needs to change this, but I hate the blame game. Twitter rocks. It's grown all out of proportion to anything anyone imagined, and it's evolving in an even more rapidly evolving environment. oAuth started in November 2006, half a year after twitter started! They are both in their infancy. How can you berate one for not jumping on the bandwagon of the other? I think it would be great if twitter did use something like this, but worded in a suggestion would be better than an attack.
by Keith Peters on 2009-01-04 17:26:30
We're in full agreement. Unfortunately, in order to offer the tools Twitter practically begs us to write (by having an API), we HAVE to ask uses for passwords. In Tweeter (facebook app), I try to warn uses not to give us their passwords unless they plan to tweet from Tweeter. The very Last thing I want to worry about is accepting the passwords of my users which is bad on far too many levels. But it's the only way I can offer them the tools they're asking for my using my application. I really hope Twitter gets on top of this very soon. Here's the entry in their bug list. Vote it up: http://code.google.com/p/twitter-api/issues/detail?id=2
by Mark Armendariz on 2009-01-04 18:39:39
[...] and phished Twitter while we were away. Good for Microsoft and Twitter, donâ€™t you think? Aral demanded Twitter to implement oAuth while I pondered about some problems that people will face on [...]
by Rounding up New Year Week | Padub on 2009-01-17 22:51:56
[...] Twply story is a lesson in many ways (see the discussion about the password anti-pattern here, here, and here), but I going to focus on the interface of the service in [...]
by Online Media Managers » Blog Archive » The Curious Case of Twitter and Twply on 2009-01-26 07:01:52
I'm a big fan of OAuth, but the truth is OAuth will not prevent these problems. OAuth still redirects users to the provider site to enter their username and password. Even though the consumer doesn't get this data, it still teaches users to expect to be redirected elsewhere to login. So, if the site redirects you to a look-a-like phishing site, you still have a problem.
by Matt on 2010-02-01 17:06:21