Pages

Friday, 27 September 2013

Has your Pinterest account been hacked and autoposting to your Twitter? Check your Twitter apps page too.

Update: a note on terminology, at the end (hacking v phishing)

I've spotted a couple of people I follow on Twitter sending out a tweet promoting Garcinia cambogia extract which is yet another weight loss supplement, this one apparently advertised by Dr Oz (though he's not behind the spamming).

However they didn't write the tweet, it actually came from their (separate) Pinterest account which, because they've authorised it to post to Twitter on their behalf, meant that these nonsense tweets showed up.

At the moment you can't tell from looking at someone's profile on Twitter.com what app they've tweeted with. They might be tweeting from a desktop / laptop computer, using Twitter.com's interface (ie 'from web') or from an app on their tablet or smartphone. Twitter used to share that info, it doesn't now (presumably to discourage advertising other services when it has its own app that it wants people to use).

However some apps do still provide this information and Echofon for iPhone is one of them. Searching for the relevant tweets from my friends I saw that they'd been sent by the Pinterest app and searching for references to Garcinia cambogia brought up plenty more examples of tweets emitted by Pinterest. It also became clear that a few people's Pinterest accounts had been hacked.

At first I thought people had had their Twitter account hacked or phished but it seems that it's Pinterest, not Twitter.

What to do?
To stop emitting tweets you'll need to revoke access to Pinterest. This stops it from being able to tweet on your behalf - go to the Apps section of your Settings, and revoke it: https://twitter.com/settings/applications

You will also need to check your Pinterest page as it's likely that you now have rubbish pics pinned on there by someone else.

What's happening here?
Your Pinterest account was hacked or phished, someone started posting rubbish photos on there in the hope that you'd previously set up an autopost to Twitter. If you had that set up then bingo for them as your Twitter feed is now pinging out adverts for someone's weight loss supplements and you may not be aware of it as your Twitter account is otherwise uncompromised.

I authorised Pinterest in 2012 as a log in only, I don't think it can tweet on my behalf, though it will be interesting to see (I've not revoked it as I'm curious to see what might happen).

Note that if even if you don't have your Pinterest hooked up to your Twitter it's still possible that your Pinterest account has been hacked anyway, but any damage is probably less obvious.

The take-home messages for me are:
  • Echofon and other apps can give you background intelligence about which app is being used to send a tweet. By itself that information may not be particularly illuminating but it can be useful (eg to see, more generally, if an account is a real person or always posting via automated systems)
  • Your Twitter account can be indirectly 'hacked' by hacking of another system which is hooked up to it. Not surprising and not unknown but interesting to see it happening so... almost covertly here.

This isn't a new technique, even for Garcinia spam which has been doing the rounds for at least a year and the blog post below shows before that it was the well-known Acai berry spam: http://www.threattracksecurity.com/it-blog/garcinia-cambogia-spam-a-timeline-and-new-outbreaks/

Don't buy Garcinia cambogia - no evidence for it, certainly no evidence that the pills you're buying even contain it (and they may contain something much worse). And check your Pinterest account (and Twitter apps) :)

Terms used - update
When I posted this on Twitter Tim Haines pointed out that I was fibbing a bit by talking about hacking. He's kind of right, so I'm clarifying the meanings by pointing to Wikipedia:





No comments:

Post a Comment

Comment policy: I enthusiastically welcome corrections and I entertain polite disagreement ;) Because of the nature of this blog it attracts a LOT - 5 a day at the moment - of spam comments (I write about spam practices,misleading marketing and unevidenced quackery) and so I'm more likely to post a pasted version of your comment, removing any hyperlinks.

Comments written in ALL CAPS LOCK will be deleted and I won't publish any pro-homeopathy comments, that ship has sailed I'm afraid (it's nonsense).