In the wee hours of Wednesday morning (March 15 2017), a host of prominent Twitter accounts were compromised and, as a result, began spouting swastika-laden propaganda in support of Turkey’s president Recep Erdoğan ahead of a referendum next month which could consolidate his power. So yeah: Now’s a good time to check your own accounts and make sure you close the backdoor that let this happen to other people.
These professional and verified accounts, including Duke University, Forbes, and Amnesty Inernational, were likely protected by pretty robust security measures such as two-factor authentication and strong passwords. Those are important precautions, and ones you should take, too. But that wasn’t enough because hackers have another way: app permissions.
If you’ve ever logged into an app or service by using your Google/Facebook/Twitter account in lieu of creating a new username and password, you’ve opened up the app permissions hole. This feature is fine and good-it lets you worry about fewer passwords and sometimes is necessary for apps that work directly with your other account. But it’s also a security liability.
In the case of this recent hack, it was an app called “Twitter Counter” that appears to be at fault. Designed to give users analytics data on their accounts, the Twitter Counter app requests permission not just to see your data, but also to tweet. This isn’t nefarious on its own, and could be used to let you tweet out things from inside the app. But if Twitter Counter is compromised (and it seems like it was), hackers can make use of that access to start tweeting heinous garbage from your account.
The amount of access these sorts of apps have is always limited. They generally don’t have the ability to change your password or the like; your Twitter/Facebook/Google account reserves that for itself. These apps also never get your real password. Your main account simply authorizes them using a generated “token.”
If your main password is your house key, these app permissions are separate keys for your garage. The stakes are lower, but the more there are out there, the more likely one will fall into the wrong hands and someone will try to steal your car.
How to tighten up your security
The solution? Revoke as many permissions as you can and do it every few months. Every account has a way to look through what apps have what sort of access to your account. Take a minute to run through the list and remove anything you don’t use and anything you don’t trust.
Twitter: Click on your avatar on the top right, next to the “Tweet” button, and select Settings and privacy. Look at the list on the left side, under your name and avatar, and click Apps. Click Revoke Access next to anything you don’t want or need.
Google: Google makes it easy with the Security Checkup, which automatically runs through your app permissions, app specific passwords, connected devices, and other points of vulnerability for your account. Do it now and clean out all the cobwebs.
Facebook: Click on the question mark drop-down menu to the left of your notifications icon and select Privacy. Go to the left-hand rail and select Apps. Then click Show All at the bottom of the box marked Logged in with Facebook. With Facebook especially, plenty of these apps may have read-only access to your data, so they can look but not touch. Still, get rid of anything you don’t use to make yourself as secure as possible.
Any other account that supports app integrations should have a similar list as well, and it is important to keep them pruned. There’s no telling what little throwaway app might come back to bite you if its security isn’t quite up to snuff, so be stingy with your access. You’ll thank yourself.