This past Saturday I attended TiECon – a silicon valley institution that I’ve been wanting to go to for almost eight years. I’ll get to more about TiECon in a different post, but I wanted to tell a story that shocked me deeply.
So I was at this conference, listening to a session on the nuts & bolts of starting your own company, and decided to see what was going on in the twittersphere. I fired-up TweetDeck for iPhone and ran a new search. I found some interesting comments. Decided to ReTweet someone. But instead of tweeting as myself, it tweeted as @GoodtoKno – the corporate handle for Kno – the startup I worked for until a month ago. This isn’t good, I thought.
Normally on our team, it had been standard operating procedure to change all third-party-service passwords after someone left the team, and I was confident in my team’s intelligence and that they would have continued this procedure after my departure.
TweetDeck is, I think, the most popular desktop and perhaps the most popular iPhone twitter client out there. Now, I have TweetDeck set up with multiple accounts – which is one of TweetDeck’s best features. I can tweet from my @prasid handle, my @NetIPSeattle account (a non-profit I’ve worked with for years) and from my corporate handle (used to be @MSFT_Students, then @GoodtoKno, and now @BookRenter).
I figured it must have just been a slip of the finger – maybe I accidentally tweeted from @GoodtoKno and maybe, against-all-odds, my team never changed the password.
So I went back into compose a new tweet, retyped my tweet, made-sure that it was only going to send it as @prasid, and not the others, and hit Enter.
I scanned the twitterstream again – again the tweet showed up as having come from @GoodtoKno.
I tried going into Settings and re-authenticating the @GoodtoKno account – the reauthentication failed! “Well, good.” I thought. My old team IS smart enough to change the password, after-all. And now that TweetDeck knows my credentials to that account are invalid, it won’t let me tweet from @GoodtoKno again.
I tried again. Tweeting from @Prasid. Tweeting from @NetIPSeattle – both times it still tweeted on behalf of @GoodtoKno instead.
Finally, I tried updating the app. Even then, the error persisted.
This is ridiculous, I thought. So I stopped using TweetDeck for the day, and switched to Twitter’s own app, which was annoying, because Twitter’s iPhone app has limited search capabilities.
Then today, I got a note from our social media guy at Kno – who obviously noticed the tweets and figured it must be me. And so I decided to try a little experiment – I fired-up TweetDeck for the PC and sent something on-behalf-of @GoodtoKno -(something innocuous). And sure enough, it worked! I managed to tweet from the @GoodtoKno handle, even after my friend at Kno confirmed that he’d changed the password.
So, bottom-line, I have no interest in damaging Kno’s reputation, but if I did, TweetDeck would have provided a gaping security hole.
I did some digging and figured out that this is a known issue. Here’s an article about it. It essentially says that there’s a “Valet Key” (limited-access) key that’s given to apps when you sync them with Twitter, that allows the apps to do certain things. So even if you need to secure a twitter account that’s been hacked (or, in my case, change it after someone who had access leaves the company), you have to actually go into Twitter’s settings and also revoke the credentials (the valet key) that was given to all these third-party services that work on top of the twitter platform.
This still doesn’t explain why the TweetDeck mobile app wouldn’t let me tweet from my own handle at all. And I’m not sure if this is an issue with CoTweet as well. Perhaps any twitter service will have this flaw.
In the broader context of the marketing discipline, this is just one more step down the democratizing path toward equity between the brand and the consumer. For big consumer brands like Coca Cola, after pouring billions into building a brand over decades, with physical billboards, tv commercials on one of four tv networks, some with their own stadiums and skyscrapers, with print ads in newspaper read by 80% of the population in a given metro, today the power has shifted away from these media toward the internet, to services like Twitter and Facebook, where every message gets scrutinized, where the playing-field between Rebecca Black and Coca Cola is nearly-level.
And then, to realize that your brand’s mouthpiece is so vulnerable to hijacking, because it no longer lives in a TV studio where a commercial shot. It no longer lives on the web site you host in a back-office at HQ. The tip of your spear lives in the jumble that is a series of tubes somewhere between an iPhone, TweetDeck, and Twitter. Nowhere at all really. Just a series of misconnected tubes.
Just a day after this post, Twitter made an announcement about OAuth – saying that they’re going to start limiting the access that they give 3rd-party apps through the OAuth protocol, and also saying that they’re going to do more to make end-users aware of the security risks of going 3rd-party apps this kind of access. Here’s the post from TC. This may break some of our apps, but it will close a security hole.