Nathan Barry
  • Home
  • Blog
  • Books & Products
  • About
Twitter YouTube Search Menu
  • Home
  • Blog
  • Books & Products
  • About
Twitter YouTube

July 20, 2009 - Security, Social

An Avatar for a Password: A Lesson in Social Media Security

Remember the days of Myspace phishing scams? Well, if you were ever on Myspace no doubt you were sent messages by your oh-so-holy-church-going-friends to look at a porn site, purchase viagra, or just talk to this chick on a webcam. Why would your friend send you such horrible things? Usually because they wanted a free background for their page and didn’t know the first thing about web security.

Basic Security

You see when you give your username and password to a service then they can login to your account. Sounds pretty basic right? But think about it. If they can login to your account they can post anything, change your photos, or whatever else. On Twitter they could even change your password and your email address so that you are locked out of your account without a recovery method.

I would never do something so foolish!

Of course you all have enough sense to not give out your password to just anyone who asks for it. Right?

Wrong. When I looked through my Twitter feed and see little ribbons next to people’s avatars I must point out that they just handed over access to their account to a complete stranger.

But all my friends are doing it!
But all my friends are doing it!

The service Twibbon asks for your username and password which thousands of people are giving up without thinking twice. But it’s okay because they clearly state: “Your login details will not be stored and are only used to update your profile image.” Awesome. They sound nice. Why should you trust them?

@nipper Says it quite succinctly.
@nipper Says it quite succinctly.

They don’t even look trustworthy! A single line of text shouldn’t make you think otherwise.

It gets worse.

You use email right? Is your Twitter password different than your email password? Yeah, I didn’t think so (to the smart ones who answered yes, congratulations! You passed web security 101). Interested in what you can steal if you know someone’s main email address and password?

  • All social media accounts
  • Bank Accounts
  • Domain Names (It happened to David Airey)
  • Blogs
  • Your entire online identity
  • Online Cell Phone Account

You get the idea. On the web your email address and password are the keys to your virtual kingdom. Why give up something so important just to turn your avatar green?

The best part.

Not only do users give up their password, but they also then post a tweet to tell their friends to do the same. Viral phishing! Now that’s clever.

Web developers should know better!

I found this unfortunate example the other day. The worst part is that many web apps are doing the same thing.

Even the well designed service BabelWith.me does it.
Even the well designed service BabelWith.me does it.

When otherwise intelligent web professionals build services that circumvent basic security principals we are teaching users that it is okay to give up valuable information to an unverified third party service. As designer and developers we need to be setting the standards (and following them!) for security if we are going to fight the increase in online identity theft. Not contribute to it!

There is a better way.

Twitter uses an authentication tool called OAUTH that allows for an app to temporarily access your account, but without requiring you to ever disclose personal information. It also controls what the app can do when they have access. Most of you have seen this screen:

The way security should be handled.
The way security should be handled.

Basically this lets the app do the cool things it was designed to do, but it leaves you completely secure at the same time. It’s just better for everyone.

Think about this.

Your Twitter account is important. Business or personal it is still your brand online. You can’t afford to have it tarnished by a simple, foolish mistake. It would be really embarrassing to post to tell your 2000 followers they should all visit a porn site. It happened on MySpace and it is only a matter of time before it happens on Twitter.

Note: If I called you out specifically or offended you in some way please know that it is only because I am pushing for a safer web (and you were a perfect example!).

Update: This article from CodingHorror.com has some great information (Thanks @davidlwheeler):

You’re Probably Storing Passwords Incorrectly

Follow me on Twitter @nathanbarry

I’m Nathan Barry. I’m a creator, author, speaker, blogger, designer, and the founder of ConvertKit.

more about me

Join the Newsletter

Each Monday I send out my weekly newsletter
 and latest blog posts. Subscribe to stay in the loop.

Subscribe to get my best content. No spam, ever. Unsubscribe at any time.

You might also like...

more recent articles
April 24, 2012 - Learning, Life, Social

Don’t be a dick. Just be nice.

read more
December 6, 2011 - Business, Social

What Does the #1 Spot on Hacker News Get You?

read more

5 Responses to “An Avatar for a Password: A Lesson in Social Media Security”

  1. Anon

    July 20, 2009

    Good post. Interested that you require our email addresses and state that they will never be shared. Can we trust you?

    Also, helpiranelection.com – the green avatars – did use OAUTH. And you could immediately remove the authorisation after changing colour.

    reply
  2. Kimberly

    July 21, 2009

    I just read your post. Awesome write up.

    I still find it amazing just how easily sucked in people are when it comes to online security. Do people still lack common sense when it comes to providing information online.

    It’s not just social networking sites trawling for data either, I recently looked at a plugin for WordPress, which wanted my email address to activate it. Me being the sceptical me, I thought “why do you want that?” turns out the plugin in question is developed by spammers harvesting email addresses.

    It’s the same with email phishing scams with banks. I don’t know how many times I’ve seen TV adverts stating a certain bank will not ask for access numbers but then not even a week later I hear people have fallen victim to the same scams.

    Does the Human race not learn or is everyone just living in their own little world thinking “It’ll never happen to me”

    reply
    • Nathan Barry

      July 21, 2009

      @Anon Yes, the Iran Election site does use OAUTH, though I thought when they first started out they only had the option to login with your Twitter credentials. I may be wrong though (it has happened before).

      And sharing your email address to post a comment is a bit different then sharing passwords. But I get your point.

      @Kimberly I haven’t seen it before with WordPress plugins, but that does make sense. Maybe I’ll write more later on WordPress security.

      reply
  3. Mandi

    July 28, 2009

    I liked this author’s philosophy for fixing your insecure passwords. http://www.slate.com/id/2223478/

    reply

Trackbacks

  1. Linkeracy 21 July 2009 – Tangled up in Purple says:
    July 21, 2009 at 12:39 am

    […] Nathan Barry exposes how experienced web developers happily allowed someone else access to their Twitter network. Wth the exponential growth of Twitter and other Social Networking applications, people are excitedly giving away their passwords in order to quickly jump on the latest trend. […]

    Reply

Leave a Reply Cancel reply

Subscribe to get my weekly newsletter.

Nathan Barry

© Copyright 2023 Nathan Barry.
All rights reserved.

Categories

  • Audience Building
  • Business
  • Design
  • Investments
  • Learning
  • Life
  • Local (Boise, Idaho)
  • Marketing
  • Mobile
  • OneVoice
  • Podcast
  • Security
  • Social
  • The Web App Challenge
  • Travel
  • Uncategorized
  • WordPress

Products

  • Designing Web Applications
  • The App Design Handbook
  • Authority
  • Photoshop for Web Design
  • Commit
  • ConvertKit
  • How I Made $19,000 on the App Store While Learning to Code
  • One Year After Quitting My Job
  • Starting The Web App Challenge: From Zero to $5,000/month In 6 Months
  • User Experience Lessons From the New Facebook iOS App
  • Step-By-Step Landing Page Copywriting
  • Designing Buttons in iOS 5
  • The Best Marketing Method I Know
  • On Design Approval and Intentional Flaws
Nathan Barry

© Copyright 2023 Nathan Barry.
All rights reserved.