Le 27 Janvier, le fondateur de l’application Fauxlowers a annoncé sur son blog que Twitter venait de suspendre son application. Effectivement, si l’on cherche à se connecter l’application Fauxlowers via Twitter OAuth, on tombe sur un message Fatal Error contenant ceci: invalid / suspended application. Pour quelle raison cette app a-t-elle été coupée? Aucune justification n’a été fournie par l’équipe technique de Twitter (comme d’hab), ce qui a laissé un peu le propriétaire de l’application penaud.
Selon lui, il est possible que son application envoyait trop d’autoDMs , ce qui a pu poussé les détecteurs de spam à virer au rouge. A la vue des réactions que l’on trouve en cherchant Twitter, c’est effectivement plausible. Ce doute lui a été confirmé le lendemain.
Cependant, ce matin, une utilisatrice de Twitter a tweeté que Fauxlowers était à l’origine d’un phishing scam sur son compte! Il n’y a pas vraiment de détails autour de cette histoire, si ce n’est que Fauxlowers a eu accès à son compte (il faudrait voir si elle n’est pas a l’origine de l’autorisation de cet accès). Cependant, on parle ici d’un phishing scam, donc même avoir un accès légitime à un compte utilisateur ne justifie pas un tel acte.
À la suite de cet incident isolé, Twitter a détecté une attaque globale qui les a poussé à reset les identifiants de connexion de milliers d’utilisateurs pour les protéger de la tempête. Dans son message aux personnes victimes de cette procédure de sécurité, Twitter rappelle:
As a reminder, you should be extraordinarily suspicious of any third party that offers to artificially inflate your follower count. We do not endorse any of these site
Mmm, serait-il possible que le développeur de Fauxlowers soit à l’issue de cette attaque globalisée? Techniquement, il a un motif (envie de revanche contre Twitter), un utilisateur a détecté une attaque provenant de son application quelques heures avant que Twitter n’annonce son alerte rouge, et Twitter identifie explicitement les services semblables à Fauxlowers comme la source du problème.
Il est bon d’ajouter que le developpeur en question, c’est Antone Roundy, un développeur dont les techniques de phishing ne semblent pas lui être inconnues…
Pour Suivre les Infos de TwitteRadarSuivre les auteurs sur Twitter : SeoMan , Gus et Xavierv
Et Suivre les Billets Par FLux RSS
No related posts.
{ 2 comments… read them below or add one }
A few parts of this post didn’t come through clearly in Google Translate, so I’m not quite sure whether you suspect that my app was doing something malicious, or whether somebody else who was doing something malicious was trying to make it look as if Fauxlowers was responsible. I can tell you, my app never did anything that wasn’t clearly explained in advance to everyone who joined. The only thing Fauxlowers did after someone granted it access to their Twitter account was:
1) Send out ONE tweet with the person’s stats and linking to their profile on Fauxlowers.com. (This was recently made optional.)
2) Send ONE welcome DM to each NEW follower with pretty much the same information (stats and profile link). This has been optional almost since Fauxlowers was launched (but I think some people didn’t bother glancing at the form they were submitting, so they didn’t realize this, even though I tried to make it as clear as possible, and it was easy to disable). This feature has now been removed from the site to avoid future complaints from people who don’t read the forms they submit.
“As a reminder, you should be extraordinarily suspicious of any third party that offers to artificially inflate your follower count.”
Fauxlowers has absolutely nothing to do with inflating your follow count, so this statement is clearly not aimed at my site. Also, since Fauxlowers uses OAuth to access Twitter accounts (NOT passwords), resetting one’s password doesn’t affect it. So if the alert Twitter sent out had anything to do with Fauxlowers, it wouldn’t have been talking about passwords, it would have been talking about your Connections control panel. And there would have been no need for them to tell users, because they could have simply deleted all of Fauxlowers’ connections — or, as they did, they could just deactivate the Fauxlowers app.
In short, Fauxlowers has absolutely nothing to do with any phishing attack. Anyone who thought they’d been phished must not have read the clear and detailed explanation on the Fauxlowers.com homepage of what Fauxlowers was going to do before they gave it authorization to access their account.
Oh, one more thing:
“It is worth adding that the developer in question, Antone Roundy, a developer whose phishing techniques do not seem to be unknown …” (Google Translate translation)
Are you serious? Just because I once posted in a discussion of potential problems with phishing using Atom feeds, now we’re going to imply that I’ve got mad phishing skills and I’m not opposed to using them?
Somebody claimed they’d been phished because they weren’t paying attention to the explanation of how Fauxlowers was going to send welcome DMs to their new followers. I underestimated the potential for this happening when I created the site, and the potential for people complaining to Twitter when they receive welcome DMs. The welcome DM feature has been removed. That’s pretty much all there is to this story.