On Twply and giving out your Twitter password (updated)

Posted by Fred Oliveira on January 1, 2009 | Comments (30)

It’s 2009 and people are still, well, naive. Just read a post by Robert Scoble about how Twply – apparently a service that sends replies you get at Twitter to your email – is using usernames and passwords for its users to send twitter messages with the users’ account (and of course, keeping that data to do as they please in the future). There’s 3 parties to blame about this whole thing:

twply 1) The user: if you consider your twitter account account a part of your identity (like I do), you shouldn’t be giving out your password to anyone. Particularly a service that has no terms of use or privacy policy showing. These people could be hijacking your account tomorrow and you would be to blame because you gave them the means to.

2) Twitter: because they’ve been sitting on their OAuth implementation for over a year now. Essentially, it would give users a way to provide external services with temporary access to the account, without actually giving the entire account away. This would provide a safe way for services to communicate without the user actually being in jeopardy. Twitter folks, what the hell?

3) Twply: because they’re violating trust and being shady. Interestingly, someone asked them (over Twitter, no less) if the passwords people were giving were encrypted on Twply’s service to which they replied “yes they are“. Well, they can’t be or they wouldn’t be sending them to twitter, would they?[1]

The subject of trusting web applications and services with your data is complex and tricky. But there’s definitely apps out there that make it really clear that they’re shady. Problem is, naive users (looking for the latest bling because they see pundits mention the service) will still be lured in.

Footer notes

[1]: To put it simply, let’s say you give TWply your password, and they encrypt it. If they do encrypt it properly there’s no way to reverse the process, which means they can’t authenticate as you with Twitter (because instead of sending Twitter your password, they would be sending the encrypted version of it, which would be invalid). It is 99.999% safe to assume that these people are lying, here.

Updates

And *bam*, they’re sold! Not only do they have your passwords, they’ve sold themselves (and your data) to someone else to do as they please (remember folks, there’s no terms of use or privacy policy, here). With the passwords for accounts like @techcrunch, I was betting on a bit more than $1.200, but you know, they made a quick buck. My best recommendation: if you did give these people your password, go change it.

Comments on this post

FYI they also own TweetManager aka Twautor. The same situation may apply.

It’s like you said.. it’s 2009, people. Get on with the program! (both twitter users _and_ twitter themselves…) OAuth is long overdue. And when (note the lack of “if”) they put that up, I hope they put down the old HTTP-Auth-based API.

OMG, they we’re bought?? Someone should tell these people [1] individually to change their passwords.

[1] http://whit.me/twplyscammed

[…] your Twitter password so that the service can’t access your acount. Lots of people are doing that now, as will I. […]

[…] to worry about is what the new owner plans to do with all of their login info and passwords, as noted by Fred Oliveira of We Break Stuff. […]

[…] your Twitter password so that the service can’t access your account. Lots of people are doing that now, as will […]

As usual it’s up to the early adopter to be the “canary” constantly falling of it’s perch. At least the alarm was sounded before they were sold, I can’t see anyone else signing up for now…

Was just waiting for this all day as I watched tweeps tweeting about using this service.

Sigh. I tweeted this am that I was paranoid of giving out a password to a complete stranger. Got a response along the line of “it’s not like it’s a bank account”.

Well, it’s my social media “bank”. I’ve spent a long time building my SM reputation. And someone unscrupulous could wreck that reputation in a few hours.

I just don’t get why so many will blindly hand over a password to someone they know nothing about.

Regarding the encryption of passwords: they can actually encrypt them. Twitter’s authentication model requires a hash of the username and password, so you can just ask for the credentials once and then store this hash in your db.

That still allows anyone to use this hash to access your twitter account , but at least your password isn’t stored in plain text – in case you’re using the same one on other services too :)

I blame twitter for this mess. They could just implement OAuth.

[…] to happen sooner or later and it’s just surprising that it did not happen earlier: Yesterday Twitter passwords were sold! Well, actually Twply was sold just after one day of operation for the ridiculous tiny sum of […]

You may also want to check out yonkly. It’s the first “create your own” microblog to integrate with Twitter: http://yonkly.com

[…] Helloform » On Twply and giving out your Twitter password (updated) […]

[…] 唯一の打開策はTwitterのパスワードを変更して、サービスからアカウントにアクセスできないようにすることぐらい。大勢の人がそうしているし、私もそうしようと思う。 […]

[…] than focus on Twply (which others have done, and whose evidence still lingers), I thought I’d talk about why this is an important […]

[…] your Twitter password so that the service can’t access your account. Lots of people are doing that now, as will […]

[…] Helloform » On Twply and giving out your Twitter password (updated) (tags: business twitter authentication scam oauth) […]

Interestingly, someone asked them (over Twitter, no less) if the passwords people were giving were encrypted on Twply’s service to which they replied “yes they are“. Well, they can’t be or they wouldn’t be sending them to twitter, would they?

You can keep users’ private credentials (including passwords) encrypted and still send them to the services. How?

Asymmetric encryption is one solution. You can encrypt data so that only some part of your code knows how to use it. Even if someone gains access to your database they’d also need to access that piece of your code.

Same problem happens with OAuth or any token based authentication method. If someone else gains access to an unencrypted database of credentials they can easily act on your behalf without your consent.

[…] a side note, I think this analogy describes the problems we’ve been having lately with the password anti-pattern, more specifically with third-party […]

Following up on my own post: sorry, I was wrong. Username and password are not protected by twitters current authentication scheme.

To quote from the Specs (RFC 2617):

To receive authorization, the client sends the userid and password,
separated by a single colon (“:”) character, within a base64 [7]
encoded string in the credentials.

So even if you encrypt credentials in the database, they still get sent as quite easily readable text through the wire.

Ouch :)

[…] Twitter hasn’t had a good start to 2009, it was hacked and then there were concerns that your passwords were up for sale and that’s not a good thing; except there may be a silver lining to Twitter’s cloud […]

[…] Twply story is a lesson in many ways (see the discussion about the password anti-pattern here, here, and here), but I going to focus on the interface of the service in […]

I think you’re confusing encryption and hashing.

Encryption is what you do when you need to get the data (maybe a password, maybe something else) back out intact. Hashing is a one-way process – you hash a password and you can’t retrieve the password text.

Someone else (who evidently knows the Twitter API, where I do not) posted that it’s possible to access twitter’s API by providing the credential hash. So if Twply were being honest (I’m not making that claim) they COULD handle credentials safely and not store your password…

emm.. love it.

I was robbed on craigslist by some lowlife using a pager number. Jerkwad was speechless when I got his addy info and paid a visit lol!

Reverse Number Lookup

any news coming ?

а все таки: восхитительно.

общение с иностранцами: познакомлюсь с парнем 17 лет Ухта
в Жуковском женщина желает познакомится – знакомства мужчины москва
познакомлюсь с парнем icq в Новошахтинске – женщина желает познакомиться Новошахтинск
Чебоксары познакомлюсь с парнем 17 лет: как оригинально познакомиться с парнем
Ижевск познакомиться с австралийцем: девушка познакомится с мужчиной Ижевск
как познакомиться с соседом Ноябрьск познакомлюсь с нудистами
хочу попробывать секс с парнем: знакомство с мальчиками в Калуге
женщина желает познакомится: познакомиться с японцем
женщина в Тольяттах с большим бюстом познакомится: как познакомиться со звездой
как познакомиться с хакером: хочу познакомиться с байкером в Муроме
познакомлюсь замужем: в Москве секс знакомства с парнями

Заходи к нам:
http://family.freehostwebs.com

societies president extinctions running issue impact beginning

[…] to worry about is what the new owner plans to do with all of their login info and passwords, as noted by Fred Oliveira of We Break Stuff. […]

All design and content © Fred Oliveira 2007-2012, unless otherwise specified.