Orcmid's Lair status 


Social-Grid Identity: Please Enter Your Twitter Credentials Here

[update 2009-03-06T20:43Z Hmm.  I just checked onto Twitter over lunch and the first update was from Ed Yourdon about Twitter being hacked in some way that allows accounts to be used or users impersonated in some way.  The instance on Yourdon’s update page suggest that these came in under the guise of posts using the web, so the exploit appears to be against the Twitter home page or the web site.  Ideally, Twitter has finer-grained detail about the path over which these tweets arrive and what the likely exploit is.  I had no knowledge or suspicions about this when I researched and created this post yesterday.]

It’s still happening.  First it was Facebook credentials.  Now it is the new hot: Twitter.

There’s an onslaught of web-based applications that integrate with Twitter and provide additional functions and services for you.  Sounds exciting, yes? 

But all of them want my Twitter credentials.  Like TwitPic, when I wanted to make a comment on this photographic complaint about someone taking a single bite out of the P-I newsroom’s fat-pill supply.  That stopped me short.  They wanted my Twitter credentials simply to comment on the photograph.  I passed.

WAIT!!  Have I already fallen for this?

This has me wonder who else I may have already given my Twitter credentials too. 

  • FriendFeed?  No, they just wanted to know my Twitter name in order to include my tweets in FriendFeed.
  • FriendFeed posting to Twitter?  Not sure.  I can’t tell what it took for those tweets to be forwarded.   I’ve turned it off, turned it on, and turned it off again.  No credential request, but I’m leaving it off anyhow.  I don’t remember providing my Twitter credentials though.  That sort of request usually triggers instant uh-oh on my part.  I know the Linked-in connection ceremony does not involve disclosure to FriendFeed, and expect that no other arrangements like this do either.
  • Twhirl.  Well, this is a desktop (Adobe AIR) application.  It does know my Twitter and my FriendFeed passwords.  It also will forget my passwords if I tell it to.   Apart from the prospect of the application simply stealing that information via my authorization to access the Internet through my firewall, there is no more exposure here than my entering the a password on the Twitter and Friendfeed pages.  Not perfect, but at least retained only on my machine and not someone else’s.

So there are mixed results. 

It doesn’t have to be that way.  When I configured Windows Live Photo Gallery to update to my Flickr account, I never divulged my Flickr (that is, Yahoo!) credentials to the program.  Instead, it worked more like a PayPal transaction, with Flickr arranging a unique credential for Photo Gallery to use that applies only to it, apparently.  I don’t know the details of that arrangement; I will find out more.  This sort of arrangement needs to be more widely understood.  (I’m pretty sure that I can use an Information Card to accomplish arrangements like this too.)

And Now, Some Security Theater

I have resisted two invitations to supply my Twitter credentials, not counting the one at TwitPic today.  On reflection, they are each instructive.

Mr. Tweet Sends Me a Message

Mr. Tweet sent me a direct message.  Well, that means I am following Mr. Tweet, doesn’t it?  Apparently not.  If I go to this page, it tells me I need to follow Mrtweet to start receiving the benefits.  And when I check MrTweet on Twitter, I am not shown as already following it.  Since my only contact with Mr. Tweet was 76 days ago, I have no recollection of anything I might have done that invited that original direct message to me, but I could have. 

On the other hand, this appears to be an interesting arms-length arrangement.  Mr. Tweet apparently provides support that does not require my credentials to access.  Furthermore, its communication with me is via Twitter direct messages.  My opting-in by direct-messaging Mr. Tweet does not require me disclosing my Twitter credentials. 

I would say I am safely intermediated by this clever use of existing Twitter provisions. 

Because I’m not interested in this service, especially not enough to receive direct messages, I am not following Mr. Tweet.  This personal choice has to do with my direct messages coming to my e-mail inbox and also my mobile phone.  I want to limit that traffic. 

Hmm, looking deeper while researching this post, I see that the Mr. Tweet page does have a (Twitter?) login panel at the very top.  Maybe this isn’t cool after all?   Worse yet, if I choose to follow any of those Mr. Tweet lists as interesting followers using buttons on the Mr. Tweet page, it requests my Twitter credentials.  Even though I can click through the links provided to the Twitter pages of those followers and follow them there.

FAIL!!  I did notice someone that I thought I should be following, but I went to the Twitter site to do it.

Mr. Tweet should stop being so helpful and take those follow links of their recommendation page, letting us use Twitter to do it.  Links to individual Twitter pages are all we need.

Now I wonder what the direct-message enablement is all about.  It should be a way to establish that I am the user of the account I would use Mr. Tweet for, but they don’t really need to establish that, it appears.

Mr. TweetSum has Data just for Me.  Not Really.

Tweetsum was being recommended in a Twitter update from Andrew Woods.  I still don’t know what a DBI is, but I saw immediately that I must use my Twitter credentials to get started.  That stopped me cold, as usual. 

On questioning Andrew about this, I was not inspired by his remark that he knew the developers and one was a security expert so he had no problems with providing his credentials.   What failed to inspire my confidence is that there does not seem to be any need for my twitter credentials for them to accomplish what they offer. 

I now see on the TweetSum blog that they know they don’t need the credentials too.  They promise not to keep them and “don't worry, we don't keep this info -- twitter merely tells us you are who you say and we believe twitter.”  

So, wait a minute.  They don’t need my Twitter credentials to do what they do, just as I thought. 

Yet they want to be sure it is me?  Why? 

Someone who asks for Tweetsum analysis for orcmid still can’t impersonate me to Twitter or any of my followers or anyone else.  They can’t do anything with information from TweetSum that they couldn’t do anyhow (like, stalk all my followers or something), with or without automated assistance.  So what’s the point? 

TweetSum having my credentials even for that one check is just security-theater ceremony.  There are a lot of those being passed around these days, but that is no reason to tolerate them. 

There is value in learning to spot security theater illusions, though.   When we encounter these charades it is also legitimate to wonder what else is not being understood about security on the behalf of a service’s users. 

Labels: , ,

Comments: Post a Comment
Construction Zone (Hard Hat Area) You are navigating Orcmid's Lair.

template created 2002-10-28-07:25 -0800 (pst) by orcmid
$$Author: Orcmid $
$$Date: 09-08-22 16:04 $
$$Revision: 1 $