Well it went and happened again. "I" posted another random spammy comment that mentioned how to make a quick $ by sending people to a dodgy website. Unsurprisingly I didn't send this, and was rather annoyed that its happened again. After the original spam attack I'd changed passwords, revoked access to the twitter mobile application and thought all was fine.
However, its exactly the same attack vector thats been used. Late on Saturday night the app was authorised again: "Mobile Web by Twitter was authorised "Sat Jul 23 2011 20:56:18" GMT. "
Well that wasn't me. And then on Sunday night around 22:30 the spam appeared in my timeline again "check out this article! I made $350 today!"
So this time, I removed the application permissions (again), removed the post from my timeline and have opened a trouble ticket with Twitter to see what happens. Oh and I changed my password to a random series of letters, numbers and extended characters. So we'll see what happens next.
I'm now thinking this IS NOT a password crack thats going on and there is something more deep seated wrong with twitter. The alarm bells are that twitter mobile application is created by twitter themselves, so I suspect an implicit trust is somewhere setup between twitter and their mobile web application, and thats why it automagically gets authorised when a post is made from it. Why or how the actual exploit takes place I'm still really in the dark.
My message to twitter was: (bits taken out for security):
Description of problem: Hi,
Several times now posts that I have not made are being posted to my timeline. They are all along the lines of "check out this article! I made $350 today!" and a link.
Each time I've logged in and found it was posted by "Mobile Web", and looking, shortly before it had been authorise to post on my account. I obviously haven't permitted twitter mobile web application permissions, and did not make the post.
I have changed by password several times now and it still keeps happening. Please can you investigate. If possible can you retrieve the IP address that was permitting the application, and/or making the posting. I can supply screenshots of the hacked timeline and also the application screen that showed Mobile Web by Twitter was authorised "Sat Jul 23 2011 20:56:18" GMT. The post to my timeline was made On Sunday Jul 24 2011 22:24 GMT "
So I'm hoping they can get the IP address, as I know the IP addresses I would post messages from, its one of about 4 or 5 so pretty easy to spot if its come from an address outside those. So we'll see what reply I get. I'll post back when I get further, but I'm mega-annoyed now as not very professional looking at all.