Stop Sharing Your Twitter Credentials

Posted: December 10, 2008 by dbrown26 in Uncategorized

This post is mainly a response to this: http://www.louisgray.com/live/2008/11/twitterank-can-have-my-password-no.html

At Twitpay, we obviously needed to work with Twitter, and since they don’t yet offer OAuth (or something similar) yet, we explored the options
on how best to do this. There has been a proliferation lately of sites that ask you to provide your username and password to other sites in order to exploit some sort of functionality, usually searching through your address book. While this tradeoff of security for convenience may be worth it in the short term in order to “get something done”, unless you are using a different password for every site you visit (which is not the case for the VAST majority of users), it is NEVER a good idea.

Perhaps we would be best served by giving a couple of more basic email based examples. First, let’s assume you are a new MySpace user (and, to be fair,Facebook has the exact same procedure) and you have just registered for your account. The second step they offer you, after you add a picture, is to enter the password for your email account (GMail, Yahoo, Hotmail, etc.) They also include a caveat that says that “MySpace will not store your email login information.” Well, that’s all well and good but the user has exactly zero ways of verifying that bit of information. So from a user’s perspective, your email username and password are now out in the wild and can no longer be trusted to be safe.

Here is where the situation gets ugly as there a lot of sites getting into this method of “faux authentication”. If someone manages to hack into any one of their systems, the user is at risk. Because even if the site abides by their statement that they do not store the user’s credentials in the database, I bet there is a fair to even chance that at least some of them will have that information show up in the web or application server logs.

If that is the case, then the first thing that will happen is that your account will be used as a spam generator. This is a pain, but it’s not going to ruin your day. The real trouble begins when the attacker begins to farm that email account for information. Unless the user has used that account as a throwaway only for registrations, in all likelihood the attacker can now mine the account for your real name, your address, and enough other information about you to effectively steal your identity. Second, it is probable that they now have access to your bank account and other financial data as the majority of people do not use different passwords for different sites. Their email password is likely the same password as their banking password. At that point the game is effectively over.

This principle also extends past email usernames and passwords as well. The most recent example we can see of this is with Twitterrank, discussed here: http://blogs.zdnet.com/collaboration/?p=163. Most people immediately think, “I don’t care if someone steals my Twitter account” or at least they care very little, because who cares if someone tweets on their behalf in the sort term.

The problem is much larger than that.

First, Twitter has an open security hole documented here: http://brianshaler.com/blog/2008/11/23/twitter-security-issue/. Basically, if some hacker manages to get your username and password and log in to Twitter before you are able to change it, they effectively have permanent control of your account. Changing your password does no good because they have a cookie that establishes them as you.

The second issue here is one of very basic data mining and social engineering. Passwords are a poor mechanism for security in and of themselves, as written about here by Schneier: http://www.guardian.co.uk/technology/2008/nov/13/internet-passwords. And because multiple passwords are difficult to manage, people tend to use the same passwords for every site. So once we have either successfully attacked a site that is storing Twitter usernames and passwords, or have set up a fake application to gather them, it is trivial to figure out people’s emails from that list and to then begin seeing if their email accounts use the same or a similar password. And once we establish the ones that do, we then again have the keys to the castle, as we mine the email for personal and financial info.

If a large number of sites start asking for usernames and paswords, users will get used to providing this kind of information to third parties. Once they are so conditioned, it will be easy to launch scams that ask for these credentials. Each new site that asks for this kind of information contributes to a future situation in which users have been trained to give their password out to anyone who asks for it. Its like environment pollution. Individual sites don’t create this overall conditioning, but it contributes a small part to a bigger problem.

My next post will talk about better ways to handle sites gracefully that do not offer Oauth or something similar as a mechanism to access their data. I can be reached on Twitter @tensigma.

Comments
  1. rickd says:

    Interesting topic- well written- just one nitpick, in the 3rd to last paragraph you say “because multiple passwords are different to manage” where I think you meant to say “difficult to manage.”

  2. dbrown26 says:

    Thanks rickd, you are right, and I’ve made the edit.

  3. I agree. Just yesterday I made the suggestion that Twitter use a second password which can be provided to third party apps with limited security access. This would be a password generated by the system to prevent the scenario you outline above.

    It’s not really necessary if/when OAuth gets implemented but it was something I thought I’d share.

  4. Louis Gray says:

    The best solution is for Twitter to get a better security offering. But as of now, there are dozens and dozens of programs that ask for user name and password, and people have gotten used to doing it. Twitter has got some work to do indeed, but I don’t think we should live scared.

  5. Ranga says:

    You can slowdown the attackers by using pwdhash even if you type the same password at all sites.

  6. dbrown26 says:

    Louis, the point of my problem is that each time user’s “get used to it” the problem becomes that much worse. We may go along for quite a while without hearing about a hack around this, but when it does happen, it will be big and it will be ugly. This is simply not the proper way to develop applications.

  7. dbrown26 says:

    Ranga, I agree, you will definitely slow them down. The bigger problem is that your average user has simply never heard of anything like pwdhash and has no idea how to use it or what it does. Real security is as much about practicality as it is about technology.

  8. Huh says:

    Steal some my information and identity through twitter – HUH? It’s all public on Twitter .. who I am ..what i think ..what I do… a link to my website with further about me.

    This is how it is for many many others – yet i should say zero enter their social security in any social site minus a bank or govt site.

    Unable to follow your steal identity comment – maybe you can elaborate?

  9. @Huh: it’s not the Twitter account itself, it is the password.

    The common practice of having the same password for several services, say Twitter, Email and Ebay, is irresponsible by the user.

    But encouraging the user to share these credentials (e.g. to read the address book) is irresponsible by the service.

  10. gregburrus says:

    Great article – this definitely needs to be resolved. I for one did not think about it at that level so forewarned is fore armed so this article served its purpose.

    However the solution I suspect is a long way off meaning getting all the software developers to use it once the solution has been found.

    I like most people love technology and the ease of use pf the web but it seems the solution is people and that is never good. As most people never think security til a problem occurs.

  11. […] Stop Sharing Your Twitter Credentials This post is mainly a response to this: […] […]

  12. Micah says:

    Since the problem lies with the developers and not the end users, that’s where we need to apply pressure. Perhaps it’s time to start some sort of petition or seal of approval.

    A small-time developer pledges not to ask for usernames/passwords in the manner you’re describing here, and instead promises to only use OAuth-style authentication. For small guys, that’s enough to get on the in-list.

    For big-time sites like Facebook and MySpace, we put pressure on them and try to embarrass them (in blog posts like this) as weak or lax on security until they’re forced to comply as well.

    It probably would end up doing nothing, but might garner them some bad press.

  13. […] Stop Sharing Your Twitter Credentials: A post Twitpay blog about the problems and hazards of providing your Twitter username and password combination to 3rd party services that add functionality to twitter. To be fair many other large online services have similar problems, the problem is compounded by the fact that Twitter does not yet have its own secure or delegated authentication or authorization mechanisms. […]

  14. […] 17, 2008 by brain Okay, maybe read this article first. It’s a bit long & involved, but the basic message […]

  15. […] Wer sich Twitpay mal anschauen will findet die Seite sowie Links zum Twitpay-Blog und Twitter-Account auf twitpay.me. Im Twitpay-Blog gibt’s auch einen interessanten Beitrag zum Thema Login-Daten von Twitter weitergeben. […]

  16. BeatTweet says:

    Heavy Heavy stuff!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s