Twitterank Snatches Passwords, Raises Security Concerns
I have to admit a heavy dose of skepticism on hearing the deafening din of "did you get your twitterank?" posts today, and it seems that I'm not the only one with doubts about the merits and motives of this latest fame-grabbing (and potentially powerful phishing) microblog app.
UPDATE | Nov. 13: This time around, it appears that the service is genuine, however, it raises important questions regarding users' collective web- willingness to give up their online "security" with very little knowledge of where their information is going - or for what purpose it may be used.
People are way too willing to fork over the keys to their online kingdom. That has the potential for devastation.
Louis Gray expresses the "so-what" attitude that a lot of Web 2.0 junkies seem to have:
The downsides of somebody hacking into my Twitter account and getting my credentials are low to begin with. In theory, if my account were compromised, they could Tweet on my behalf and make me look like a fool for some time, until I managed to get to Twitter support. In the meantime, you'd be sure to hear about it, and I assume others would be vocal in my favor. Another concern would be if you or I used the same login and password combination on other services. The perpetrator could then guess your ID on other services, or even access your financial records or anything else sensitive. But again, given the other Twitter developers' comments in regards to OAuth, I tend to believe this is something the coders are working around, and I don't think this is a mass account grab.
Gray is way too cavalier about the possibility that cyberscum grabbing a Twitter password could get access to more important accounts. The reality is that most people are lazy when it comes to security, and they use the same password for multiple accounts. I bet a lot of the passwords used on Twitter would also get you into that person's online banking account. That kind of identity theft is a nightmare, and not something to be dismissed so lightly.
Twitter and other social media services need to rethink how they do online authentication and the management of identity. Twitterank is genuine and the alarms raised were false, so no harm done.
PREVIOUSLY | Nov 12:
Mana from the heavens for cloud sceptics - on a day a lot of professional photographers lost all their images due to the failure of photo hosting site Digital Railroad went under - as Twitter users fanned their egos en masse to parade their ‘twitterank‘ to their followers.
Twitterrank has no apparent purpose beyond a sketchy numerical rating, and there are rumors circulating on Twitter this afternoon that it is basically a fishing expedition.
I picked up on this after seeing Tantek Çelik retweet:
At the time of this writing I’m not sure what’s going on with Twitterank, but I have to say it is amazing how promiscuous web app users can be with their security details.
This sort of vanity time wasting harms Twitter’s credibility as a useful collaboration and communication tool and adds credence to many IT professional’s doubts about the security of online transactions.
The ‘Twitterank algorithm is vewy vewy secwet‘ - your login details should be as well!
Disclaimer I am about to ask you for your Twitter user ID and password. You should be afraid. This is where you ask yourself, "Do I really want to find out my twitterank badly enough to give some random dude on teh interweb my account info?" And if that's not what you're asking yourself, shame on you.
Fortunately,//--> I'm not out to steal ur twitterz. Frankly, I wish I didn't have to ask for your account info, but Twitter doesn't offer APIs using any other authentication mechanism (according to the docs). So blame them. Read more about what I'll do with your account info/data in the FAQ.
I will not store your password. I will only use it once to calculate your Twitterank.