Nullvariable

Fixing security issues for Twitter

by Doug on November 6, 2009

Sorry if there are spelling errors, I’m writing this from the road, some where in Mississippi, but I think it’s important to make some points about security. Just saw that MSNBC appeared to have had their Twitter account hacked. Two things I want to say about security.

First be very careful where you use your password. Better yet insist on using services that use OAuth. OAuth means you tell Twitter to allow an application access to your account instead of giving the application your password. This means you and Twitter can both easily shut down an offending application more easily. It’s very similar to how Facebook’s system for applications works.

Second, Twitter needs to offer some higher levels of security. It costs very little to do Multi-Factor-Authentication (MFA). MFA is a process where you must have a device (often a phone) register with the system that either receives a code generated on the server or the device generates the code independently and is synced with the server. It essentially prevents anyone who doesn’t have the physical device from using an account even if they have the password.

Most people are using Twitter from their cell phones anyway, it would take very little programming to send authentication codes to the users phone before they could login. Lots of scenarios on how it could work but this would be something I would pay for. (And do pay for on other accounts). It’s a tiny step that many users would be more than happy to add. I use an MFA device on an almost daily basis. World of Warcraft offers an iPhone app and a keychain device for MFA and it’s a game.

What do you think? Is basic password security education enough? As FB & Twitter grow we’re just going to see more of these types of attacks. Learning good security is a must.

Share and Enjoy:
  • Digg
  • Sphinn
  • del.icio.us
  • Facebook
  • Mixx
  • Google Bookmarks
  • email
  • Ping.fm
  • RSS
  • StumbleUpon
  • Twitter
  • Yahoo! Buzz
  • Doug, this is a great start and Twitter really does need to get this right, quickly. But, in addition to password protection, it also needs to implement site validation so that every link that is submitted and shortened goes through a virus and phishing filter to stop anything from being distributed that can cause damage. I know users should have this capability but so many just don't.
  • I'd agree but the horsepower to check links would have to be pretty high. I suppose that they could use a service like Google and FireFox are using and check the URLs against that but it seems like it takes too long for a site to get picked up by those filters. I don't know what the solution is but seems like both Facebook and Twitter need to really get on the ball or they're going to start losing people.

Previous post:

Next post: