On Twply and giving out your Twitter password (updated)

It’s 2009 and people are still, well, naive. Just read a post by Robert Scoble about how Twply – apparently a service that sends replies you get at Twitter to your email – is using usernames and passwords for its users to send twitter messages with the users’ account (and of course, keeping that data to do as they please in the future). There’s 3 parties to blame about this whole thing:

twply 1) The user: if you consider your twitter account account a part of your identity (like I do), you shouldn’t be giving out your password to anyone. Particularly a service that has no terms of use or privacy policy showing. These people could be hijacking your account tomorrow and you would be to blame because you gave them the means to.

2) Twitter: because they’ve been sitting on their OAuth implementation for over a year now. Essentially, it would give users a way to provide external services with temporary access to the account, without actually giving the entire account away. This would provide a safe way for services to communicate without the user actually being in jeopardy. Twitter folks, what the hell?

3) Twply: because they’re violating trust and being shady. Interestingly, someone asked them (over Twitter, no less) if the passwords people were giving were encrypted on Twply’s service to which they replied “yes they are“. Well, they can’t be or they wouldn’t be sending them to twitter, would they?[1]

The subject of trusting web applications and services with your data is complex and tricky. But there’s definitely apps out there that make it really clear that they’re shady. Problem is, naive users (looking for the latest bling because they see pundits mention the service) will still be lured in.

Footer notes

[1]: To put it simply, let’s say you give TWply your password, and they encrypt it. If they do encrypt it properly there’s no way to reverse the process, which means they can’t authenticate as you with Twitter (because instead of sending Twitter your password, they would be sending the encrypted version of it, which would be invalid). It is 99.999% safe to assume that these people are lying, here.

Updates

And *bam*, they’re sold! Not only do they have your passwords, they’ve sold themselves (and your data) to someone else to do as they please (remember folks, there’s no terms of use or privacy policy, here). With the passwords for accounts like @techcrunch, I was betting on a bit more than $1.200, but you know, they made a quick buck. My best recommendation: if you did give these people your password, go change it.

30 thoughts on “On Twply and giving out your Twitter password (updated)

  1. It’s like you said.. it’s 2009, people. Get on with the program! (both twitter users _and_ twitter themselves…) OAuth is long overdue. And when (note the lack of “if”) they put that up, I hope they put down the old HTTP-Auth-based API.

    OMG, they we’re bought?? Someone should tell these people [1] individually to change their passwords.

    [1] http://whit.me/twplyscammed

  2. As usual it’s up to the early adopter to be the “canary” constantly falling of it’s perch. At least the alarm was sounded before they were sold, I can’t see anyone else signing up for now…

  3. Sigh. I tweeted this am that I was paranoid of giving out a password to a complete stranger. Got a response along the line of “it’s not like it’s a bank account”.

    Well, it’s my social media “bank”. I’ve spent a long time building my SM reputation. And someone unscrupulous could wreck that reputation in a few hours.

    I just don’t get why so many will blindly hand over a password to someone they know nothing about.

  4. Regarding the encryption of passwords: they can actually encrypt them. Twitter’s authentication model requires a hash of the username and password, so you can just ask for the credentials once and then store this hash in your db.

    That still allows anyone to use this hash to access your twitter account , but at least your password isn’t stored in plain text – in case you’re using the same one on other services too :)

    I blame twitter for this mess. They could just implement OAuth.

  5. Interestingly, someone asked them (over Twitter, no less) if the passwords people were giving were encrypted on Twply’s service to which they replied “yes they are“. Well, they can’t be or they wouldn’t be sending them to twitter, would they?

    You can keep users’ private credentials (including passwords) encrypted and still send them to the services. How?

    Asymmetric encryption is one solution. You can encrypt data so that only some part of your code knows how to use it. Even if someone gains access to your database they’d also need to access that piece of your code.

    Same problem happens with OAuth or any token based authentication method. If someone else gains access to an unencrypted database of credentials they can easily act on your behalf without your consent.

  6. Pingback: How to share a secret ~
  7. Following up on my own post: sorry, I was wrong. Username and password are not protected by twitters current authentication scheme.

    To quote from the Specs (RFC 2617):

    To receive authorization, the client sends the userid and password,
    separated by a single colon (“:”) character, within a base64 [7]
    encoded string in the credentials.

    So even if you encrypt credentials in the database, they still get sent as quite easily readable text through the wire.

    Ouch :)

  8. I think you’re confusing encryption and hashing.

    Encryption is what you do when you need to get the data (maybe a password, maybe something else) back out intact. Hashing is a one-way process – you hash a password and you can’t retrieve the password text.

    Someone else (who evidently knows the Twitter API, where I do not) posted that it’s possible to access twitter’s API by providing the credential hash. So if Twply were being honest (I’m not making that claim) they COULD handle credentials safely and not store your password…

  9. а все таки: восхитительно.

    общение с иностранцами: познакомлюсь с парнем 17 лет Ухта
    в Жуковском женщина желает познакомится – знакомства мужчины москва
    познакомлюсь с парнем icq в Новошахтинске – женщина желает познакомиться Новошахтинск
    Чебоксары познакомлюсь с парнем 17 лет: как оригинально познакомиться с парнем
    Ижевск познакомиться с австралийцем: девушка познакомится с мужчиной Ижевск
    как познакомиться с соседом Ноябрьск познакомлюсь с нудистами
    хочу попробывать секс с парнем: знакомство с мальчиками в Калуге
    женщина желает познакомится: познакомиться с японцем
    женщина в Тольяттах с большим бюстом познакомится: как познакомиться со звездой
    как познакомиться с хакером: хочу познакомиться с байкером в Муроме
    познакомлюсь замужем: в Москве секс знакомства с парнями

Comments are closed.