51 comments

[ 3.1 ms ] story [ 125 ms ] thread
"Twitter for iPhone API compromised?"

Is that supposed to... you know... mean something?

My own timeline was compromised, so I started looking into this. A fake tweet was posted on my behalf with "Twitter for iPhone" as the source. I don't have an iPhone since quite some time, but I used to have the app back in the day and never revoked access until now.
Update: Automatically got an email from twitter saying:

> Twitter believes that your account may have been compromised by a website or service not associated with Twitter. We've reset your password to prevent others from accessing your account.

The spam tweet posted on my behalf was automatically deleted.

(Edit: For reference, the spammy link pointed to a domain called apaloreto dot info, but led to a 404 in my case)

So has it been identified what you hit to cause a highjack of your account?
I use a Nexus 5 but recently I got a notification from MyPermissions [0] saying "Twitter for iPhone gained access to certain permissions." I checked it and it said it had rights to post on my behalf. I quickly removed all permissions as this was rather suspicious. I would recommend doing the same.

[0] http://mypermissions.com/

Have you ever owned an iPhone and installed the Twitter app? If not, have you ever installed a Twitter app on your Nexus?

If Twitter used the same app token for iPhone and Nexus twitter apps, and your Nexus twitter auth cred was stolen, they could use an implementation of the twitter client API with the iPhone user-agent, then post with your creds. I have absolutely no idea if any of that is accurate, but it might explain the access.

Luckily my timeline was not affected.

However, I wonder, shouldn't Twitter be able to pick these messages up automatically fairly fast, after (I assume) hundreds if not thousands of users have flagged them?

Also, the spammers can't have unlimited IP's. Twitters anti spam kinda seems to lag back behind E-Mail (subjectively).

Is there a reason the same techniques used in E-Mail aren't applicable to Twitter?

> Is there a reason the same techniques used in E-Mail aren't applicable to Twitter?

Twitter relies on very low latency - ie, once you tweet something, if it a whole minute to appear in your friends' timelines, it could already have lost much of its value.

Lots of spam reduction techniques introduce latency to levels that are unacceptable to Twitter's use case.

I'm not sure why it didn't catch these, but I can imagine why the same techniques aren't applicable in general.

Sure, but couldn't they run something that cleans up already posted tweets? That wouldn't introduce any latency while posting but would still (eventually) get rid of them automatically and hopefully pretty fast.
I think they are. Most of the search results I'm seeing are only up until a minute ago.
They do – they deleted a tweet from my timeline.
If my twitter account was compromised and used to send spam, I think the way I'd discover this is by seeing the record of tweets sent by the false "me". If those are being culled, then how will I know that my account has been compromised?
You can do pretty aggressive spam detection in way less than 100ms.

Source: I wrote a system that can do it in less than 10ms at Grooveshark.

any way i could pick your brain for 20 mins? we're dealing with a lot of it at whisper... would buy beers or ... whatever you want.
hey I work on anti-spam at FB. Happy to talk sometime. facebook.com/mkjones or @fisherrider on twitter (lol).

You can learn a little about how we think about securing login here: http://vimeo.com/80460475.

Shoot me an email james@grooveshark.com. Love to chat!
I've never timed it, but I do try to do realtime-spam detection on blog/forum comments:

http://blogspam.net/

Although it operates at a much smaller scale than most of the things linked to here it does work pretty well.

I doubt if that's even true, because Twitter's tail latency on API calls is in the hundreds of seconds. They do not operate a low-latency service (and they don't operate a high volume service either, by my standards).

I think the real problem is not latency, but simply they don't have the signals needed to differentiate spam from not.

Where did you get the latency data from?
Speaking as a user, when someone sends me a reply, I expect to see it in seconds via the streaming API so I can have a short IM-style conversation, and I consider this a nice benefit to using Twitter (rather than, say, email), if not totally essential. Hundreds of seconds sounds bad, but if that were the norm, it would be a serious problem.
I don't know. Part of the normal use case of Twitter is people mindlessly retweeting something or posting the exact same thing as everyone else. That's just trending stuff. With something thousands and thousands of people are sharing, it would take quite a few flagging it to raise any red flags.
Yeah, I was just thinking that. About 90% of what I see on twitter I would consider spam if it were sent by email. :)
So I can't speak for twitter, but I work on anti-spam at Facebook, and imagine the problems we face are relatively similar. It's worth noting that there's a constant barrage of people trying to send varying degrees of spam. It's not like there's An Attack all of a Sudden - just occasionally people close to the HN social network happen to be targeted by something and it's magnified by the media / hive mind local to us.

> shouldn't Twitter be able to pick these messages up automatically fairly fast

Theoretically, sure. As a human looking at an attack, it's usually pretty easy to pick out "obvious" attributes that they should have been able to catch. But when you're operating at a scale like us or Twitter, even stuff that looks like it's obviously-indicative-of-badness often has false-positives (posts flagged as spam that are not). The long tail of weird stuff that a billion users do can be pretty crazy.

At the same time, the "obvious" attributes of an attack are often very cheap for an attacker to change. Instead, we try to go after more expensive resources (domains, source IPs, etc).

> after (I assume) hundreds if not thousands of users have flagged them

Sadly, looking at flags of content is not a silver bullet. The signal is very sparse (a given spam post is rarely flagged), and nonspam posts are frequently flagged (religious and political speech are great examples - and they are the worst kind of false positive if you delete them as spam). These problems can be somewhat mitigated if you aggregate flags over a dimension that's expensive for the attacker (domain-posted, IP that posted the content, text shingles), but even then the recall isn't necessarily great and you could still catch e.g. controversial political domains.

> the spammers can't have unlimited IPs

True, though you can rent space on a botnet that has many, geographically-diverse, real-user IPs. Also, I imagine a significant chunk of posts to Twitter come from apps, many of which each use a single IP to post tons of content.

> Is there a reason the same techniques used in E-Mail aren't applicable to Twitter?

There's definitely some overlap. I'm not an expert at email anti-spam, but in general it's a relatively different problem. "Traditional" email spam is sent from some random email address on / via a compromised machine or open relay, and seems to be a relatively-well-solved. But it sounds like this twitter attack was caused by compromised accounts. At least anecdotally, it seems that email vendors are also not great at detecting this kind of attack. For example, my gmail account (with arguably the best spam protection in the industry?) gets a message every few weeks from some compromised friend's account. (i.e. someone had their email password stolen and the attacker is using it to "legitimately" send mail after authenticating to that email service with the correct password).

Perhaps you can weight the flags of users. Like users who have flagged non-spam content in the past don't count, and people who have flagged lots of spam count more.
Yeah, we've played with that idea a bit. It doesn't help the sparseness problem (actually makes it worse), and if we took action as a direct result, it would give people the power to DoS content they disagree with.

For sites operating at a smaller scale, this could be a good way to surface content for manual review though.

Are you using elastic net or other things to handle sparsity? Lots of Bayesian priors?
Could you hire people just to review/flag stuff on a part-time basis, ala Mechanical Turk? Or is the problem just not big enough to warrant the time/money investment?

I imagine that while spam is annoying, it probably doesn't impact your bottom line in a big way.

Could you not identify higher than normal viral scores and run some automatic checks on the links content to look for dodgy behavior (ie executing like / share links?) That would still end up with you being in a cat and mouse game of obscuring dodgyness but its a start.

Have you guys looked into sharing likelihoods of affected users? In other words I rarely share stuff I click on. If a higher than normal number of high view - low sharers like myself are sharing its either extremely popular or its spam. (Worth flagging for a manual check)

Yep, "URLs shared primarily by not-sharey people" sounds similar to a lot of classifiers we have.
Your job sounds pretty fun I must say.
I don't know if you hear this often enough, but thank you for fighting this fight. And I hope you're well paid for doing it.
I think it's safe to say that he/she probably is, at facebook.
Lol, best quote in a while: "The long tail of weird stuff that a billion users do can be pretty crazy."
Yes, I admin a FB group with sockpuppeting spammers daily, and it took me a while to understand why the "report account" facility didn't offer a "spam" option.
The bit.ly link is marked as spam and shows a warning, and then the shortened link doesn't load at all. The spammer failed :P
I additionally went through a twitter warning before I got to the bit.ly warning
I am not a Twitter user. Can anyone explain what I'm looking at here? The outcome of malicious Javascript?
(comment deleted)
My spam tweet had "Twitter for iPhone" API access as the source, and I wasn't using an iOS device at the time it was posted. It's unclear what actually happened.
you don't need to be using an iOS device for someone to use your devices authentication token to access your account. Sounds like perhaps a a vulnerability leaking oauth tokens in the iOS client?
Or something to do with Twitter's iPhone integration having an issue, allowing someone to create credentials on your behalf.
I would assume it's just sent through the API with the iOS App's app credentials (they are open and out there). That specific set of app credentials allows the OAuth endpoint for email + password sign in through the API. Maybe some other database got hacked and the user credentials were used on twitter.
I just tried deactivating it, but couldn't - apparently "Twitter for iPhone" needs to be deactivated on the device itself. What's up with that?
Funny how now the search is full of tweets referencing the "Twitter Spam Wave"
"Seriously the best thing I have ever tried" - what on Earth would be the purpose of spamming that?
Proof of concept? The attacker might use something else in the future.
I don't twitter but whenever I'm shown tweet I'm astounded at the amount of redirection involved in linking.
This link to search over dynamic content is as pointless as those "service x is down" linking to service x.
I don't see anything special. Have the tweets been removed? What was it?