
tl;dr
B/c ppl hv attn spans of gnats.
A Dutch teenager successfully hijacked 20,000 Twitter profiles to post a message dissing their owners for being slack with security. Damien Reijnaers (@DamiaanR), 16, also induced his victims into tipping their hat to him for helping them to point out the error of their ways in the same update. He pulled off the trick by …
This application will be able to:
Post Tweets for you.
Those terms aren't verbose or complicated. There's no real conditions involved in that one. Yes, malicious users can have a field day if you authorize an untrusted source to publish information using your information. It becomes trivial at that point, since you've expressly authorized code you have zero control of from a developer you have zero knowledge of to have near complete access to your account.
The more and more people move to social media and feel it's okay to authorize whatever little crap they find to have complete access to the details of their account, the more and more you will see actions like this occur. Call me an old stick in the mud, but I rarely post any form of information sensitive to social media sites, and don't use many apps with them, because I do not like the authorizations required for most of them. In fact, I'm the same way with my phone. When some little game wants access to my contacts and ability to monitor phone calls, it is not installed.
This also has implications among law enforcement techniques, as well. If Farmville has complete, unfettered access to your Facebook and cell phone, what stops the feds from issuing a secret subpoena to Farmville to kill two birds with one stone?
Too too true...the number of times I have tried to download a simple app only to have it ask me for permission to go into just about every part of the system for some undisclosed irrelevant reason. Strangely enough when I tell it to swivel the app won't run.....meh, plenty more fish in the sea*
* for younger viewers, it was once thought that there was an endless supply of fish. It now turns out that you need to leave some to let them make more fish.
I know people like to diss this "Joe Public" guy, but really, "post tweets on your behalf" is pretty damned simple to understand. If you don't know what posting a tweet is, what the hell are you doing on Twitter?
Methinks this prankster hit 20,000 people on the very low end of the bell curve.
This is a difficult problem to solve because users simply don't have the time to pore through the often verbose, complicated terms and conditions or term of use statements attached to applications.
This is a difficult problem to solve because users simply don't have the time to pour through the often verbose, complicated terms and conditions or term of use statements attached to applications.
Fixed it.
So some people signed up to a service and allowed that service to have (easily revokable) access to their twitter account so it could tweet. Then the owner of that service used the permission they were granted to post a tweet. The only story is that the tweet wasn't particularly pleasant.
I look at this as the early days of AV software (NO, don't start in on the heuristics versus signature argument!) in that this is an emerging area of concern for security folks. There are a few apps out there that scan for unnecessary permissions and the presence of adware, but the onus is still on the user to decide what to do about the potentially problematic apps. Sooner or later, we will see certain behaviors defined as malicious or unacceptable and blocked without user intervention.
On one hand, nothing is free and it seems reasonable to expect to deal with ads or other methods for the app developer to make some money off our downloads. On the other hand, one of the underpinnings of the use of apps paid for by data tracking and ads is informed consent.
"Definition of hijacking is to take over something and use it for a different purpose. The victims expected it to do one thing, it did another. If that's not hijacking them I'm a banana."
Wait, it's hijacking because it is missing the functionality of comparing Twitter accounts? So, if it did what the user expected by comparing profiles as well as what it did, it wouldn't be? This is exploiting, not hijacking.
The closest you get to the word "Hijack" in this regard is...
2. b : to subject to extortion or swindling
http://www.merriam-webster.com/dictionary/hijack
The closest you get to the word "Exploit" in this regard is...
2. to make use of meanly or unfairly for one's own advantage <exploiting migrant farm workers>
So, are you rotten or ripe?
Totally offtopic but considering how you Reg folks don't post that often...
Just wanted to say that the badge system implementation looks more impressive to me. I know plenty of web forums where the staff always gets the full load of "achievements" because well, they're the staff.
So seeing a bronze badge behind your name tells me that you guys like to play by the same rules you laid out, which IMO is recommendable. Just saying.
And now back to our regular program...
"...Definition of hijacking is to take over something and use it for a different purpose. The victims expected it to do one thing, it did another. If that's not hijacking them I'm a banana..."
Good morning, Mr. Fyffe. May I just say how fantastically curved and yellow you're looking today!
Yesterday a tramp asked me for some money for a "cup of tea". After voluntarily handing over said coinage, I subsequently observed him using it to buy a can of "Old BallBaggers Liver-Crippler" extra strength lager instead. Oh noes! I must immediately hotfoot it down to my local nick and report that I have been the victim of a hijacking!
the other thing is linkedin. most competent people dont bother with it. but there is a hard core of linkedin users who want you to believe that they are employable. they are doing this by getting their agents into prominent media positions to forward the linkedin agenda telling you that you are scum for not being on it.
but twitter is like that but without the aspect of anyone getting a job at the end of it. pure evil.