Early on Wednesday morning, prominent Twitter accounts were compromised. These verified, professional accounts such as Amnesty International, Duke University just to name a few, were most likely protected by good security practices such as strong passwords and two factor authentication. But it seems hackers have gotten around this by simply accessing app permissions.
If you log into an app or service using your Twitter, Google or Facebook account instead of creating a username and password, you’re likely opening up the back door via app permissions. While this feature seems convenient because you don’t have to set up and remember a bunch of logins/passwords, and is sometimes necessary for apps that tie in directly with your account, it also becomes a security liability.
An app called “Twitter Counter” that is designed to give users analytics data of their accounts seems to be the source of the recent hack. The app not only requests to see data but also to be able to Tweet. This may seem innocent enough as it could be used to tweet out data from within the app. It appears hackers had compromised Twitter Counter and used the access to send out their own Tweets.
These types of apps generally don’t have the ability or access to change your passwords, your main account simply authorises them access to your account using a generated Token.
How to minimise your risk:
It is a good idea to go through your accounts and revoke as many permissions as possible. Every account has settings that allow you to see what apps have what sort of access to your account. Go through the list and remove anything that you don’t trust or need it to have access to.
Click on the question mark drop-down menu to the left of your notifications icon and select Privacy. Go to the left-hand rail and select Apps. Then click Show All at the bottom of the box marked Logged in with Facebook. Most of these apps may have read-only access to your data, so they can look but not touch. Still, get rid of anything you don’t use or trust to make yourself as secure as possible.
Click on your avatar at the top right, next to the “Tweet” button, and select Settings and privacy. Look at the list on the left side, and click Apps. Click Revoke Access next to anything you don’t want or need.
Google makes it easy with the Security Check up feature, which automatically runs through your app permissions, app specific passwords, connected devices, and other points of vulnerability for your account. Log in to your account here and check that everything is up to scratch.
Any other account that supports app integrations should have a similar list as well, and it is important to keep permissions to a minimum. There’s no knowing what app might come back to haunt you if its security isn’t quite up to par. Let this be a good time to go through all your apps, not just accounts, and give them a security check.