The Problem with Twitter OAuth Connections

Twitter Oauth

If you’ve been using Twitter for any length of time then I’m sure you’ve come across the Deny/Allow screen you see above. Twitter OAuth is an authentication protocol that allows users to approve application to act on their behalf without sharing their password. The only problem is once you click Allow, the site using OAuth pretty much have total control of your Twitter account. They can make you tweet out messages to followers. They can even make you follow anyone without your permission.

Now, the majority of sites that use OAuth, like Sponsored Tweets, use it for legit reasons. However, it’s not hard to see the potential security problems this can create. For one thing, Twitter has no application process to use OAuth. Anyone can create a Twitter service with OAuth, including hackers and spammers. This is why Twitter has that note on the right which reads:

Please ensure that you trust this website with your information before proceeding!

The problem is most people won’t notice the warning and will just click the Allow button. Most Twitter users think that clicking Allow only allows the service to access your Twitter account once, like for entering a contest where the site will use OAuth to make you follow them and tweet out a message about the contest to your followers. That is not the case. When you click Allow, the service has access to your Twitter account until you break the connection!

Using OAuth To Get Someone Banned On Twitter

Last week, my Twitter account got suspended because Twitter received a bunch of complaints from users claiming I forced them to follow me. Of course, I never forced anyone to follow me and after an investigation and telling me to change my password, Twitter restored my account. However, I received two @replies today from users saying I am forcing them to follow me again.

My theory (and it’s only a theory) on how this is happening is someone is using OAuth to make Twitter users follow me to get my account banned.

How To Break The OAuth Connection

To see all the sites that you allowed to connect to your Twitter account, go to your Twitter home page, click “Setting”, then “Connections”. You’ll be presented with something like the following:

Twitter Connection

The page will list all the site that are allowed to connect to your Twitter account. Don’t be shock if you see a site that you don’t know. If you don’t know the site, break the connection right away by clicking the “Revoke Access” link.

For the Twitter users who sent me messages saying I’m forcing you to follow me, I ask that you go to your connections setting and revoke access to every connections you have. This will make sure no sites have access to your Twitter account. I also recommend you change your Twitter password. Hopefully, the answer to all this is someone abusing OAuth to try to get me banned. If the forced follow is not from OAuth, then Twitter has a major security flaw on its hands.