Can’t look this gift horse in the mouth
Today was an interesting day for the Identity geeks of the world. A viral outbreak of concern broke out among twitter users over site called “Twitterank”. Twitterank asks for your credentials and displays a number theoretically outlining your theoretical socal viability in the twitterverse.
Once the word “phishing” became attached to the service, people became fascinated. I have no idea of the order of it all – but several things happened:
- A ridiculous number of people decided to try out the alleged phishing site. Some of them even changed their password afterwards.
- References were passed around to a site called “Twitterawesomeness” that appears to exist as a very pointed statement about how easy it is to phish a site like twitterank. The disclaimer states:
I’m in ur Twitterz, stealin ur credz!
It’s ok, 178 other people gave their passwords too!
- The author of Twitterank came out with this statement:
I’m not out to steal ur twitterz. Frankly, I wish I didn’t have to ask for your account info, but Twitter doesn’t offer APIs using any other authentication mechanism (according to the docs). So blame them.
So let’s see then:
- twitterank is right. The best way to protect the passwords of the users of your service is to provide alternatives to giving away your password. Granting permission for another entity to see your data is something Twitter can securely enable – or ignore. We know where they stand so far.
- twitterawesomeness is right too. It doesn’t matter whether twitterank is crooked or honest. Anyone who wishes to spend the 10 minutes to emulate twitterank’s main page can harvest passwords, if they can get people to click on a modified link. Obviously not a difficult task – especially when people only see a “tinyurl” for most of the links they click. Heck, just register “twitterrank.com”. People will come to you.
- To all you folks who changed your password — do you use that password anywhere else? Cause if I were going to steal username/password combinations, it certainly wouldn’t be to read a twitter stream. But I’m sure nobody would be crazy enough to use the same combo at twitter and at their bank… what about the password you might have had when you tried the service a month ago?
- In fact – even if you don’t use that combination at your bank, I might be able to still get there. I would use the credentials to harvest your email address from twitter, and then try to login to that email account. If I was lucky and got a hit, I could then start putting your email address into password recovery pages for all sorts of interesting places. Once you have email, you have the keys to the kingdom.
Of course, I could also just phish your bank site. Occam’s razor applies here. Still, the point has been proven.