A slew of high profile Twitter accounts blasted a pretty suspect, pro-Erdoğan tweet on Wednesday. An Amnesty International account was affected, as well as one from UNICEF, and an information security journalist too. The cause was that all of those users had linked their accounts to a third party application, called Twitter Counter.
"We're aware that our service was hacked and have started an investigation into the matter. We've already taken measures to contain such abuse," the service tweeted on Wednesday morning, shortly after the offending tweets were published.
Twitter Counter added that it doesn't store users' passwords or credit card information, but that is not the point here. In many cases, when Twitter users link their account to third party services, they are, in effect, handing over control of their account, including the ability to post tweets.
So, how do you check if your account is linked to any similar apps, how do you revoke access to them, and what should you look out for more generally?
Here are three easy steps:
CHECK WHICH APPLICATIONS CAN ACCESS YOUR ACCOUNT
When logged into your Twitter account on a computer, click your profile picture in the top right hand corner of the screen, and select "Settings and privacy" from the drop-down menu. From here, select "Apps" on the left hand menu (or you can skip those steps and just go straight to this link). Now you'll see all of the applications that can access your Twitter account. Maybe that includes Medium, or Facebook, or whatever else.
But most importantly, this screen will also show what each of those apps can actually do with that access. For example, Medium has permission to read and write. Others may also have the ability to send direct messages.
REVOKE ACCESS TO ANY YOU DON'T NEED
Next to each app is an easy-enough "revoke access" button, which will cut off the application's control over your account. Maybe there's an old crappy online game linked to your account you no longer play. Revoke it. Or some dodgy app that you can't even remember linking to your account. Revoke that too.
The smaller the number of applications that have access, the less chance there is of your account being taken over because of a third party compromise. Last year, around 32 million usernames and passwords for Twitter accounts surfaced. It's not clear exactly where they came from—Twitter security staff denied the company had suffered a breach—but an attack on a third party site is a good bet.
ALWAYS NOTE THE PERMISSIONS
In general, and not just for Twitter, it's worth paying close attention to the specific permissions you are awarding apps when linking them to your accounts. Does that software really need to write tweets for you? Are you happy with that? If not, maybe don't give certain apps access in the first place.
Also make sure you're using a unique password on Twitter, or any other sites too. If you haven't already, maybe put in the time to set up a password manager, which will generate strong, unique passwords for you. And double-check you have two factor authentication enabled too.
Subscribe to pluspluspodcast, Motherboard's new show about the people and machines that are building our future.
from How to Protect Yourself From Third-Party Twitter App Hacks