Federating Identity by Twitter - Am I Just Too Paranoid?

Wednesday, June 29, 2011

Rafal Los


Tell me, am I just entirely too paranoid? I mean, I've seen several highly regarded security professionals tweeting from this site already, so I couldn't resist but to give it a look.

When I go to see my stats, because I'm interested, I get this lovely looking pop-up box asking me to provide my Twitter credentials, and telling me all about what capabilities this app will have once is has access to my Twitter profile. 

Now, maybe I'm just becoming entirely too paranoid - but what to you think... would you allow this?


I don't get it, help me out here. What makes it OK for a widget like this one to follow new people? 

I presume that this means the widget has the right to simply add people to my follow list, right? 

This isn't dangerous until you recognize the trust placed in the 'follow' system... and how spam bot profiles can be legitimized through this type of thing. 

But I'm probably just too paranoid.

Wait... why would a widget need to update my profile... I don't even feel comfortable letting my marketing people do that. What could it possibly add to my profile that... naa, I'm just paranoid.

Wait, this thing needs to read my direct messages? Why exactly?  I'm just not entirely comfortable with this arrangement anymore.

Post tweets for me huh?  I'm sure there's a perfectly legitimate reason for this too... I mean, why would this be a bad idea?

So - I can honestly think of legitimate uses for each one of these permissions the widget is asking for. Then again, for each legitimate use, I can think of no less than 2 evil uses should this widget be compromised, or simply turn evil or self-interested.

I mean look... at least the widget can't see my password, or access my direct messages after June 30th...

Who wants to bet that several thousand (million?) people have already clicked the "Sign In" button blindly without reading or fully understanding the implications of doing so?  So... wait, this starts to sound like  South Park episode I recently saw... anyway...

My point is this - the users are, and will continue to be, our weakest point.  Companies and widgets alike will continue to exploit your users.

I'm not saying these folks are evil or will ever do anything bad with complete access to your Twitter profile... but hey, I'm not a trusting kind of rabbit.

By the way, just for the record I clicked Cancel on this one. But then, I'm just overly paranoid.

Cross-posted from Following the White Rabbit

Possibly Related Articles:
Twitter Privacy Authentication Web Application Security Third Party Twittercounter
Post Rating I Like this!
Emmett Jorgensen I completely agree!

Anytime I see a request like this it sends up a red flag. I know another social networking site that requests the same access and although I would like to use it, the risk outweighs the reward for me.

I know there may be legitimate reasons for wanting this access, but there are just too many variables that can go wrong. Why risk it?
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.