Rogue OAuth Apps: Like Vampires, You Must Invite Them Into Your Account*
Tweet this!
As most of you reading this blog know, I lead Twitter’s Trust and Safety department. Two of my teams are API Policy and Spam. While these teams have a number of responsibilities, they also both work to find and suspend bad apps that appear on Twitter. Sometimes, though, bad apps surface and trick users into authorizing them before we can suspend them. Given the variety of bad apps that have popped up lately, I think perhaps it’s time for a refresher course on OAuth apps and some examples of bad ones.
First: what’s an OAuth app? In a somewhat cyclical answer (and for the purposes of this blog post), it’s an app that uses OAuth to connect to your account. OAuth is an authentication method that lets you use apps without them storing your password. You can read more about Twitter apps and OAuth here.
You’ll know that an OAuth app would like to connect to your account if you click on a link somewhere and it takes you to an api.twitter.com page that looks something like this (though this isn’t an example of a bad app, just an OAuth connection request!):
In this case, Favstar.FM (an app that I use and like) is asking me (@delbius) for account access. If a message like that pops up unexpectedly after clicking on a link somewhere (from Twitter or elsewhere), and you aren’t sure why it popped up or what the app does, do not click “Allow.” Even if you think you *do* know what the app does, you shouldn’t grant it access to your account if it claims to do anything in the following list that could well be titled (and is) “Things an OAuth app cannot do”.
Things an OAuth app cannot do:
allow you to spy on other people’s profiles
authorize your account
certify your account
force a celebrity to follow you
force anyone to follow you
get you followers fast
get you hundreds of followers fast
get you thousands of followers fast
give you access to shocking videos
give you access to salacious pictures
give you free food
give you free gadgets
give you free phones
grant you unlimited Twitter access
prevent your account from being deleted
show you a video no one can watch without laughing
show you a video no one can watch without dying
show you a video no one can watch without getting scared
show you a video no one can watch without looking down
show you who’s spying on your profile
show you who’s viewed your profile the most
show you who’s viewing your profile
show you who’s viewing your profile while not logged in
tell you everyone who’s ever unfollowed you prior to authorizing the app
tell you how many hours someone else has spent on Twitter
tell you how many hours you’ve spent on Twitter
tell you how you’ll die
tell you when you’ll die
tell you who’s stalking you on Twitter
verify your account
If you authorize an app like the ones listed above, it will spam your timeline, and thus your followers, with links and dramatic statements in an attempt to get more people to authorize it as well. If you’ve authorized a third-party application that you don’t recognize or that is spamming your account, you should revoke access. You can check which apps you’ve authorized by going to the Connections tab in Account Settings.
Note that these rogue apps are not types of malware, trojans, virii, or worms. The difference is that these apps only gain access to your account once you grant them permission. Fortunately, you can revoke access just as easily as you can grant it. Once you’ve revoked access for that bad app, it no longer has access to your account and, thanks to OAuth, your password won’t be compromised.
Want some help pages? I thought you might. Here you go:
How to connect and revoke third party applications
How to keep your Twitter account secure
What to do if your account is compromised
*Though I’m aware the mythos surrounding the need for vampires to be invited into a home varies, I refer here, of course, to the text by Father Leone Allaci, originally published in 1645 (though cited most recently in Montague Summers’ The Vampire in Europe):
“For very often, inhabiting this body, he [the devil] comes forth from the grave, and going abroad through villages and other places where men dwell, more especially at night, he makes his way to what so ever house he will, and knocking upon the door he calls aloud by name in a hoarse voice one who dwells within. If such a one answers he is lost; for assuredly he will die the next day. But if he does not answer he is safe. Wherefore in this island of Chios all the inhabitants, if during the night they are called by anyone, never make reply the first time. For, if a man be called the second time it is not the vrykolakis who is summoning him but somebody else.”
Further, Agnes Murgoci notes in her 1926 article “The Vampire in Roumania”
“At anytime of the year it is well, especially at night-time, never to answer until someone calls you three times, for vampires can ask a question twice but not three times. If you reply when they speak to you, they may turn your mouth askew, make you dumb, cut off your foot, or kill you.”
So, y’know, keep that in mind too.
26 notes
-
ellenpage2 reblogged this from delbius
-
constipation-home-remedies liked this
-
suv-reviews liked this
-
somethingthere reblogged this from delbius
-
jennah19 liked this
-
cantcopewontcope liked this
-
creditssn liked this
-
creer-un-site-internet liked this
-
last--minute liked this
-
fertilizerspreader liked this
-
hi-q-nikon-battery-charger liked this
-
newjerseycpa liked this
-
avalon1982 liked this
-
shaunacausey reblogged this from delbius
-
meklarian liked this
-
berberich liked this
-
bllix liked this
-
favstar liked this
-
jakefogelnest liked this
-
massivehype reblogged this from delbius and added:
bottom, some priceless information...(rightfully) fear
-
capnwiley reblogged this from delbius
-
delbius posted this
