January 26, 2014

The Tragedy of Twitter Authentication

I've become less and less trusting of third-party services that want to use social networking credentials to authenticate, and I'd like to give you an example.

http://minus.com/ is an image hosting site.  A few of my friends host galleries on the site, but if I want to view their galleries, I have to create an account.  Not a big deal, until you try.  Then you are told that you have to create an account using your social networking account.  I didn't quite trust them, so I created a new Twitter account (@RomSteady2) and registered using it.  After registering, I unlinked my Twitter account from my Minus account, but I did not remove their permissions to update/tweet on my Twitter account so I could see what would happen.

My first indication that something was amiss was when I got an email today from someone I didn't know saying that they used TrueTwit verification.  So what do I do but go and look and see my bait timeline filled with over five pages full of people I didn't follow...







...and there's more.  I know that the number of followers you have will determine how often you are recommended, but this is insane.  I'm guessing the TrueTwit verification was so that people could verify they were getting that they paid for.  So with this experiment completed, I'm removing the permissions from the Minus app from this experimental twitter account and unsubscribing from all these guys who appear to be paying for subscribers.  At least Minus didn't tweet on my behalf...

Note: To pre-emptively try to address criticism: this account was created specifically for this experiment and was only used for this account.  It used a random password that was created specifically for this account.  I tried to be as clean-room as I could with this.

No comments: