This morning I woke up to find that someone or something has retweeted spam messages on behalf of my Twitter account. Some of my followers alerted me about it (thank you!) and here are my thoughts on suggestions as to what might be the reason:
-
This is not a personal or even targeted attack since many people were affected and some of the victims are silent accounts with no tweets (apart from those from spammers) and only a handful of followers.
-
I'm pretty sure it doesn't have anything to do with third-party app access since all the retweets were marked in the Twitter UI as coming from "web". I'm inclined to believe this field since it is derived from the authorization method (a browser cookie or an app's client_id) rather than provided by the user.
-
If this would be a CSRF vulnerability then it would have worked at the time when I was clicking or visiting something on the Web. However all (or at least 3 out of 4) retweets happened when I was sound asleep. As was my laptop, for that matter.
-
I never submitted my Twitter password to any web site apart from Twitter itself. Here you have to take my word for it but I'm pretty sure on this one. The only exceptions would be the official Twitter app for Android and Ubuntu's Gwibber that as far as I know only exchanges the password for an OAuth token and doesn't keep it further.
-
The only working hypothesis I have right now is that my password was stolen from some other hacked service that was storing passwords in clear text. I know that sharing passwords between services is a bad practice but it's how it is.
-
Another thing supporting this hypothesis is that after I changed the password spam has stopped. I can't verify if it happened anywhere else after that.
The Twitter itself is silent on the issue and I don't know whom to ask about it. Their Report Violation page seems to be designed to educate people how to leave them alone.
Comments: 5
It's definitely not CSRF. I've been checking twitter for this for a long time. Did you notice anybody with the same issue? I want to explore this
One person on Twitter said he had samples, you might want to contact him. I deleted my retweets by this time.
All twitter cookies was marked as invalid right after you change your password. This is how twitter auth works :) So it's still can be csrf or just a cookie stolen from your firefox/chrome/whatever.
FYI Just had this happen Mar 13 2013 and trying to understand how. your right, Twitter support isn't talking. How do they post porn-spam which said I 'Reteeted' it and listed over 5000 reteets and a handful of followers? My account is new and real simple; have only made about 6 tweets, no retweets that I've made, no app relationships, no followers (maybe one) and maybe 2-3 retweets of my posts. Now upon login I was asked to reset password (which was complex and never had been hacked) so I did this and changed default 'Password Reset' to "Ask to verify". You can easily send a fake RESET request just by entering someone's User ID (with default settings).
All very interesting...
Just saw the YouTube video how it's done: "Twitter Retweet Hack 2012 (No Virus &