Twitter, Facebook Users: Review Account Settings

A major "hack" of prominent Twitter accounts has raised awareness of a big security loophole. The problem isn't with Twitter itself, but rather third party tools.

This morning several thousand accounts belonging to public figures and major organizations and businesses posted identical messages. The tweets included a swastika symbol and references to Nazi views in Germany and the Netherlands and are thought to relate to an ongoing political spat between the Netherlands and Turkey. (Source: bostonglobe.com)

There's never a good time for accounts to be hijacked in such a way, but today was particularly sensitive as people in the Netherlands were voting to elect a national government.

Automated Tool to Blame

Many observers initially assume either that Twitter itself had been hacked or that the people behind the tweets had managed to obtain the account passwords of the victims, perhaps through a phishing campaign.

In fact, it turns out the hacking was directed at Twitter Counter, a third party service. It's designed to help businesses keep track of how many people respond to and share particular tweets, something that's extremely useful for organizations that operate high-profile social media accounts and want to know how to reach more people with their message.

The way Twitter allows third-party tools to access its data means the Twitter account holder using the tool must give it specific permissions. With Twitter Counter, that meant giving permission to access their statistics and to post on their behalf.

Normally this latter permission is only ever used for automated posts when Twitter Counter users want to share a statistic, for example to highlight that a particular tweet was very popular. It relies on trust that companies such as Twitter Counter won't abuse the permission. That trust has been justified to date, but now the hackers were able to take advantage.

Permissions Can Be Revoked

While Twitter Counter is investigating the problem, it's proven an opportunity for many to review their permissions. To do so, users need to go to Twitter, click or tap their profile picture, select "Settings and Privacy" and then select "Apps". This will bring up a list of any third-party tools with account permissions, where users can revoke certain permissions if they don't recognize or are no longer comfortable with them. (Source: usatoday.com)

There's a similar setting for Facebook too. To get this, users need to select the downward arrow in the very top-right of the Facebook website, then select "Settings". On the page that appears, select "Apps" from the left-hand menu to see a list of apps and permissions.

What's Your Opinion?

Do you use any third-party tools on Facebook or Twitter? Do you trust them not to abuse permissions? Does this incident make you less comfortable about giving such permissions?