Avoid TwitViewer phishing: use OAuth-friendly apps

It came across my Twitter feed in the early morning, a sea of users all sending the same message: "Want to know whos stalking you on twitter!?: http://TwitViewer.net."

The site, whose domain was registered today through an Arizona proxy service, promises a photo-gallery-like display of the last 200 people that came to your Twitter page. The cost for this service? Nothing, save for your Twitter user name and password. The catch? You just gave up your Twitter authentication credentials to a site you know nothing about. Proving this point, the site automatically sends the aforementioned message through your Twitter account sans permission and auto-follows you to the Twitter accounts of any of the random photos you click on--people who you're led to believe visited your account.

Twitter itself now recommends that users who signed up for the "service" change their passwords. But it's not like this suggested scam was unavoidable in the first place. In fact, there are two large barriers between you and any scamming site on Twitter: Your brain and OAuth.

It's worth doing a little background research before you blindly toss away your primary login credentials to any Twitter-themed Internet service (or anything on the Internet, for that matter). Does the site look legitimate? Your gut feelings might be more accurate than you first think. Is what the site's offering even physically possible? I can't think of way that a third-party site, using only your Twitter login and password, would be able to track other Twitter users that have clicked on your Twitter page.

As for OAuth, this is an authentication protocol for desktop and Web applications that's designed to keep your login credentials secure from third parties. Applications that support OAuth don't ask you for your user name or password directly. Instead, they send a request to Twitter and ask it for permission to access your account.

Instead of logging into a third party to deal with this request, you sign into your Twitter account through Twitter's trusted servers as you normally would. The actual handshake for permissions takes place through Twitter. Once you've given the application access to do whatever, Twitter generates an access key for the app that can be configured based on varying levels of access or time. You control the approval process and terms, and you can even remove an application's permissions after-the-fact.

Not all desktop and Web applications currently support OAuth, but it's a far more secure method of giving third-parties access to your account than simply sending over your user name and password. If you have to do the latter, make sure that you implicitly trust the site to hold this information--and your account--in confidence. The TwitViewer situation affected even some of the more Net-savvy folk on Twitter: Don't let it happen to you!

Update 12:44 PST: TwitViewer.net is now down for the count!

References show all

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the Computerworld comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Coverage
Related Whitepapers
Latest Stories
Community Comments
Tags: phishing, social networking, twitter
Whitepapers
All whitepapers
Sign up now to get free exclusive access to reports, research and invitation only events.
Featured Download
/downloads/product/22/cdex/

CDex

CDex can extract the data directly (digital) from an Audio CD, which is generally called a CD Ripper or a CDDA utility.

Computerworld newsletter

Join the most dedicated community for IT managers, leaders and professionals in Australia