NEWS FROM THE LAB - Wednesday, September 1, 2010

Twitter Spam and the OAuthcalypse Posted by Sean @ 15:36 GMT

Twitter discontinued support for basic user authentication in third-party applications yesterday morning.

Good. It's always best to never share your password with a third-party. Even if you trust them, their database could be compromised, and your password along with it. The discontinuation of basic user authentication also removes the vector of brute force password attacks via Twiter's API.

All third-party applications must now use Twitter's OAuth.


So, that being the case… we have a feature request.

The other day, we came across some Twitter spam using a bit.ly link that pointed to an application called "Lady Gaga photos".


If you "Allow" the application, two things will happen: the account tweets spam and follows two new accounts (emoboyxx3 and BoyGeorge).

We don't suspect Boy George is behind this…


Okay, so it's a spam application. Time to visit Settings/Connections and revoke its access.


And here's our feature request, we want a "Revoke Access and report as a spam application" as well as the "Revoke Access" option.