Which apps have permission to access your accounts?
A recent social-media hijacking reveals how poor services are about aging out unused connections, writes Glenn Fleishman
Recently, hundreds of accounts – from Forbes to Amnesty International to Starbucks Argentina – started spewing swastikas and slogans in Turkish labelling the Netherlands “Nazi Holland”. The propaganda arises from a dispute in advance of a Turkish referendum to grant its president more power, and the Dutch refusal to allow Turkish officials to speak at rallies of Turkish people living in the Netherlands.
Political issues aside, the accounts were hijacked through a weakness many people forget exists until it strikes: third-party app permissions in social networks and other platforms. These integrations are part of the power of many services, which pitch themselves as platforms. Developers can create software that talks to the service’s API and reads information from a user who authorizes it. But more critically, these third-party apps can often post on behalf of a user, delete messages, or engage in other behaviour.
In this case, Twitter Counter was responsible. Its servers were hacked, and credentials stolen.
This kind of break-in affects even those who have enabled two-factor authentication, because third-party app approval happens while you’re logged in and doesn’t disclose a Twitter password. Thus, Twitter assumes that a legitimate user has approved the conduit, and it passes a usage token to the third party, which stores that. Those tokens can be revoked en masse and an application blocked, which is what Twitter did after the hacking was discovered.
Two-factor authentication (2FA) remains critical and should probably be a requirement that social-media networks enforce for any account that attracts more than a small amount of followers, likes, or other markers making it a potential target for takeover.
A Twitter friend outspoken about Muslim discrimination noted around the same time that she was receiving messages from Twitter about password attempts, but she had two-factor enabled, so the attempts were in vain. Another friend received a quasi-phishing message that her Apple ID had been locked, and found her account was, in fact, inaccessible. She regained access, but the suspicion I
have is that phishers bombarded Apple with bad passwords to her account to force it into a lockdown state, and then tried to scam her. She also has 2FA enabled.
Depending on the service, you may be able to approve a connection once and never reaffirm it. When you attempt to use a Web app with Twitter, you will likely be asked to re-login on a regular basis, but if you don’t use the Web interface, the conduit remains active and you don’t have to approve it. Native apps, like Tweetbot, and system integration, as in macOS and iOS, are never reprompted – they request and receive token renewals without your involvement if they’re needed. More nooks and crannies to check I wrote before about how to perform a checkup on Facebook, Google, and Twitter, and those details are more relevant today.
I’d add to that a few more places to make sure you aren’t leaving a vector available that someone can pry open with a digital crowbar. In most of these locations, you can view recent or open sessions, which let you see which hardware and browsers are accessing your account, but that can help you ferret out whether any of that is unauthorized.
Facebook open sessions. Via Facebook’s Web app, click the downward-pointing arrow to the right of the help (?) button on its toolbar. Choose Settings, click Security in the left navigation bar, and then, next to Where You’re Logged In, click Edit. In trying to troubleshoot why both my Macs get about 40 notifications for every new Facebook post, I turned to these section of settings and found that several sessions remained ‘open’ even though the listed service hadn’t attempted to access in months or longer.
Click End Activity next to each item you don’t recognize. This may cause a problem with calendar sync or mobile access, forcing you to re-authenticate or, with 2FA, create a new app-specific password. But it’s better than wondering why they remain available, potentially on a computer,
device, or via a service you no longer have access to. In my case, my office Mac and laptop MacBook are both identified as ‘Patreon’, a service that I use Facebook authentication with, but which shouldn’t be identified with my sessions. That’s an issue I have yet to figure out.
(On a Mac, you can sever the system-level Facebook connection via the Internet Accounts system preference pane. Click Facebook in the accounts list and then click the minus button at the bottom to remove. This will affect contacts and calendars if you have those boxes checked. It should also remove contacts and delete your Facebook calendar, but contacts may persist.)
Dropbox sessions and authorization Dropbox has seen a big rise in third-party integration, and you may not realize – as I didn’t – just how many services and sites can access your Dropbox in different ways. Dropbox shows open web sessions, linked devices and their last access time, and linked apps all in a Security tab. I found iOS hardware I still own but that remained displayed as linked from a previous system release, as well as devices I no longer own. If you wipe a device before selling it, a new owner can’t just connect to Dropbox without your credentials, but it’s more effective to not leave that possibility open if you delete settings without erasing a drive or a phone or tablet.
Google open sessions At Google.co.uk, click the avatar for your account and then click My Account. Under Sign In & Security, click Device Activity and Notifications. Google trims access to the past 28 days, which provides fewer clues to problems. Google can also alert you when it attempts
what it believes is an attempt to crack your account. A number of journalists received these alerts a few weeks ago.
Microsoft If you don’t use Microsoft products regularly, you might have authorized and forgotten the permissions you granted: you can check and change those. Re-upping trust Eternal trust is not a good strategy. Networks, services, and sites that let third parties leverage their user platforms with those users’ permissions should be considering how to provide a regular review of linked apps and active sessions.
Companies are trying to provide a balance between growing their audience, making their services more valuable, and not bothering people to the extent they stop paying attention to security alerts. But the current state of things leaves users who connect any third-party app or system too exposed for too long.
Facebook keeps ‘active’ sessions open for months or longer, so it’s good to check this list from time to time
Google can notify you of potential account attacks