There's a big bad phish going around on Twitter today. Likely either related to the Twply thing or seriously emboldened by it.
One of the first things I considered when I looked at the Twitter API was that it was wonderfully open, and ripe for abuses. Coupled with a Phishing attack there are a lot of powerful methods to disseminate viruses, malware, and to collect passwords. LOTS of them.
It looks as though this particular scam sent out emails resembling those you might receive from Twitter if you get email notifications of your Direct Messages. The email said, "hey! check out this funny blog about you..." and then provided a link. That link redirected to a site masquerading as the Twitter front page.
Anyway one thing that might help stem the tide of Phishing attacks, and API-service type attacks (Twply style trust attacks, where they say they're going to do something, and all they really do is take your data), an API key system, or a drastic evolution of the current API method.
It's not like I'm saying anything radical, actually, this is likely in the works at the volcano/skull island that houses Twitter's developers, but it's more the shape of things to come. You'll likely see a slightly more complex and less "impulse buy" friendly API system emerge. Hopefully safer than the seat of the pants insecure method used now.
And as Pete Cashmore says, it might be a sign that Twitter is "for real".
No comments:
Post a Comment