It’s difficult sometimes to think what many of us did before Twitter. How did we find out about the latest breaking news on a storm, local crime, or the next backlash in the Perez Hilton / Lady Gaga feud? We used to have to wait hours for a story to be reported on T.V. or come out in a newspaper article. Now, this information is at our fingertips within minutes. With use of the right hashtag, or just by following the right “tweeters,” you can find out what your favorite celebrity is eating, or get breaking news before it’s posted to any news source. However, you may also be opening up quick access to your own information through doors you might not even know exist.
Thousands of Twitter users found their accounts exposed in such an unexpected manner recently when a hacker from Mauritania published details of more than 15,000 user accounts. The details did not include passwords, but rather “OAuth tokens,” part of a process that allows users to authorize third-party apps to access their account information without offering up login credentials.
Now I’ve talked before about how secure the average social media account is usually kept. Many people leave their valuable information exposed on social media profiles by staying logged in after each use, using weak passwords, and even using the same password across all of their accounts. However, even beefing up the security of your logins might not matter in this situation. By granting third-party apps access to your Twitter account, you are giving them permission to automatically post on your behalf to other apps like Facebook, for instance. This access, unfortunately, uses less secure code and essentially bypasses your login security, opening a virtual side door to your account. Obtained by the wrong people, this access allows hackers to post as you without needing to have pilfered your actual login credentials.
What does this mean for Twitter users?
Well you don’t have to change your password, but you should probably revoke and re-link access to any third-party apps you have connected to your Twitter account. Rather than hacking into Twitter’s infrastructure directly, it’s likely that this “Mauritania Hacker” got his data from a third-party system, meaning that while your main account information is safe, your access to those third-party apps you have connected to Twitter might have been compromised.
What is a third-party system?
You may have noticed that on your first visit to a website or upon the download of a new mobile application that links to one of your social media accounts, many sites and apps now ask you to sign in with Twitter or Facebook. This method, often referred to as a social login, links your accounts to third-party app using the information in your social media profiles. Mostly as a measure of convenience, this process makes it so that you don’t have to create a new user name and password for new accounts and provides the company on the receiving end with some data points on you that they wouldn’t otherwise receive. It can also give an app permission to post to your linked social accounts under your name.
When you choose to sign in with Twitter, this “third party” is granted limited access to your account. They don’t get your password, but they do get the ability to tweet, message, and (potentially) spam your followers. While Twitter has built a system of servers that are highly encrypted and tough to hack, it’s fairly safe to say that the average third party application isn’t quite as bulletproof. It was this lesser-guarded entry point where the Mauritania Hacker made his move.
It’s a creative backdoor to nab your social identity in a way, at least to post as you, but it can cause havoc on your social profiles. Take the following steps to protect yourself from becoming a potential victim of this sidestep around your secure passwords:
- Rescind privileges to unused or unknown applications: Login to your Twitter account and click on the gear icon in the upper right corner and in the drop down menu go to Settings. Then choose the Apps link on the left hand side. Here you’ll see a list of all third party applications that you (at one point or another) have granted access to. Remove applications generously to reduce your risk of being hacked.
- Think twice before granting access to third party apps: When given the option, consider creating a new account with your email address or new user ID rather than logging in with Twitter or Facebook. If a website or mobile app insists that you login with a social network but there’s no apparent reason that they should need any of your personal information, think twice about registering at all.
- Use strong passwords to protect your account. I can’t emphasize enough that using passwords with multiple variants such as upper and lower case letters, numbers, and special characters (@, #, and !) significantly increase the security of your accounts. Also, avoid using birthdays, family names, or other publicly available information.
- Regularly change and update passwords. It’s true that in this instance no passwords were released, but it’s still a good tactic to update your passwords as a precaution. Be sure to change passwords regularly and not to use the same password across multiple accounts, i.e. financial, social media, and email logins.
- Consider using a strong password manager such as McAfee SafeKey, part of the McAfee LiveSafe™ service. Store all of your passwords in one place, and access them from any of your devices with single click login.
To receive updates on the latest Twitter, Facebook, & mobile security threats and to learn more about how to protect yourself, follow us on @McAfeeConsumer and like us on Facebook.