Which apps have per­mis­sion to ac­cess your ac­counts?

A re­cent so­cial-me­dia hi­jack­ing re­veals how poor ser­vices are about ag­ing out un­used con­nec­tions, writes Glenn Fleish­man

iPad&iPhone user - - NEWS -

Re­cently, hun­dreds of ac­counts – from Forbes to Amnesty In­ter­na­tional to Star­bucks Ar­gentina – started spew­ing swastikas and slo­gans in Turk­ish la­belling the Nether­lands “Nazi Hol­land”. The pro­pa­ganda arises from a dis­pute in ad­vance of a Turk­ish ref­er­en­dum to grant its pres­i­dent more power, and the Dutch re­fusal to al­low Turk­ish of­fi­cials to speak at ral­lies of Turk­ish peo­ple liv­ing in the Nether­lands.

Po­lit­i­cal is­sues aside, the ac­counts were hi­jacked through a weak­ness many peo­ple forget ex­ists un­til it strikes: third-party app per­mis­sions in so­cial net­works and other plat­forms. These in­te­gra­tions are part of the power of many ser­vices, which pitch them­selves as plat­forms. De­vel­op­ers can cre­ate soft­ware that talks to the ser­vice’s API and reads in­for­ma­tion from a user who au­tho­rizes it. But more crit­i­cally, these third-party apps can of­ten post on be­half of a user, delete mes­sages, or en­gage in other be­hav­iour.

In this case, Twit­ter Counter was re­spon­si­ble. Its servers were hacked, and cre­den­tials stolen.

This kind of break-in af­fects even those who have en­abled two-fac­tor au­then­ti­ca­tion, be­cause third-party app ap­proval hap­pens while you’re logged in and doesn’t dis­close a Twit­ter pass­word. Thus, Twit­ter as­sumes that a le­git­i­mate user has ap­proved the con­duit, and it passes a us­age to­ken to the third party, which stores that. Those to­kens can be re­voked en masse and an ap­pli­ca­tion blocked, which is what Twit­ter did after the hack­ing was dis­cov­ered.

Two-fac­tor au­then­ti­ca­tion (2FA) re­mains crit­i­cal and should prob­a­bly be a re­quire­ment that so­cial-me­dia net­works en­force for any ac­count that at­tracts more than a small amount of fol­low­ers, likes, or other mark­ers mak­ing it a po­ten­tial tar­get for takeover.

A Twit­ter friend out­spo­ken about Mus­lim dis­crim­i­na­tion noted around the same time that she was re­ceiv­ing mes­sages from Twit­ter about pass­word at­tempts, but she had two-fac­tor en­abled, so the at­tempts were in vain. Another friend re­ceived a quasi-phish­ing mes­sage that her Ap­ple ID had been locked, and found her ac­count was, in fact, in­ac­ces­si­ble. She re­gained ac­cess, but the sus­pi­cion I

have is that phish­ers bom­barded Ap­ple with bad pass­words to her ac­count to force it into a lock­down state, and then tried to scam her. She also has 2FA en­abled.

De­pend­ing on the ser­vice, you may be able to ap­prove a con­nec­tion once and never reaf­firm it. When you at­tempt to use a Web app with Twit­ter, you will likely be asked to re-lo­gin on a reg­u­lar ba­sis, but if you don’t use the Web in­ter­face, the con­duit re­mains ac­tive and you don’t have to ap­prove it. Na­tive apps, like Tweet­bot, and sys­tem in­te­gra­tion, as in macOS and iOS, are never re­prompted – they re­quest and re­ceive to­ken re­newals with­out your in­volve­ment if they’re needed. More nooks and cran­nies to check I wrote be­fore about how to per­form a checkup on Face­book, Google, and Twit­ter, and those de­tails are more rel­e­vant to­day.

I’d add to that a few more places to make sure you aren’t leav­ing a vec­tor avail­able that some­one can pry open with a dig­i­tal crow­bar. In most of these lo­ca­tions, you can view re­cent or open ses­sions, which let you see which hard­ware and browsers are ac­cess­ing your ac­count, but that can help you fer­ret out whether any of that is unau­tho­rized.

Face­book open ses­sions. Via Face­book’s Web app, click the down­ward-point­ing ar­row to the right of the help (?) but­ton on its tool­bar. Choose Set­tings, click Se­cu­rity in the left nav­i­ga­tion bar, and then, next to Where You’re Logged In, click Edit. In try­ing to trou­bleshoot why both my Macs get about 40 no­ti­fi­ca­tions for ev­ery new Face­book post, I turned to these sec­tion of set­tings and found that sev­eral ses­sions re­mained ‘open’ even though the listed ser­vice hadn’t at­tempted to ac­cess in months or longer.

Click End Ac­tiv­ity next to each item you don’t rec­og­nize. This may cause a prob­lem with cal­en­dar sync or mo­bile ac­cess, forc­ing you to re-au­then­ti­cate or, with 2FA, cre­ate a new app-spe­cific pass­word. But it’s bet­ter than won­der­ing why they re­main avail­able, po­ten­tially on a com­puter,

de­vice, or via a ser­vice you no longer have ac­cess to. In my case, my of­fice Mac and lap­top Mac­Book are both iden­ti­fied as ‘Pa­treon’, a ser­vice that I use Face­book au­then­ti­ca­tion with, but which shouldn’t be iden­ti­fied with my ses­sions. That’s an is­sue I have yet to fig­ure out.

(On a Mac, you can sever the sys­tem-level Face­book con­nec­tion via the In­ter­net Ac­counts sys­tem pref­er­ence pane. Click Face­book in the ac­counts list and then click the mi­nus but­ton at the bot­tom to re­move. This will af­fect con­tacts and cal­en­dars if you have those boxes checked. It should also re­move con­tacts and delete your Face­book cal­en­dar, but con­tacts may per­sist.)

Drop­box ses­sions and au­tho­riza­tion Drop­box has seen a big rise in third-party in­te­gra­tion, and you may not re­al­ize – as I didn’t – just how many ser­vices and sites can ac­cess your Drop­box in dif­fer­ent ways. Drop­box shows open web ses­sions, linked de­vices and their last ac­cess time, and linked apps all in a Se­cu­rity tab. I found iOS hard­ware I still own but that re­mained dis­played as linked from a pre­vi­ous sys­tem re­lease, as well as de­vices I no longer own. If you wipe a de­vice be­fore sell­ing it, a new owner can’t just con­nect to Drop­box with­out your cre­den­tials, but it’s more ef­fec­tive to not leave that pos­si­bil­ity open if you delete set­tings with­out eras­ing a drive or a phone or tablet.

Google open ses­sions At Google.co.uk, click the avatar for your ac­count and then click My Ac­count. Un­der Sign In & Se­cu­rity, click De­vice Ac­tiv­ity and No­ti­fi­ca­tions. Google trims ac­cess to the past 28 days, which pro­vides fewer clues to prob­lems. Google can also alert you when it at­tempts

what it be­lieves is an at­tempt to crack your ac­count. A num­ber of jour­nal­ists re­ceived these alerts a few weeks ago.

Mi­crosoft If you don’t use Mi­crosoft prod­ucts reg­u­larly, you might have au­tho­rized and for­got­ten the per­mis­sions you granted: you can check and change those. Re-up­ping trust Eter­nal trust is not a good strat­egy. Net­works, ser­vices, and sites that let third par­ties lever­age their user plat­forms with those users’ per­mis­sions should be con­sid­er­ing how to pro­vide a reg­u­lar re­view of linked apps and ac­tive ses­sions.

Com­pa­nies are try­ing to pro­vide a bal­ance be­tween grow­ing their au­di­ence, mak­ing their ser­vices more valu­able, and not both­er­ing peo­ple to the ex­tent they stop pay­ing at­ten­tion to se­cu­rity alerts. But the cur­rent state of things leaves users who con­nect any third-party app or sys­tem too ex­posed for too long.

Face­book keeps ‘ac­tive’ ses­sions open for months or longer, so it’s good to check this list from time to time

Google can no­tify you of po­ten­tial ac­count at­tacks

Newspapers in English

Newspapers from UK

© PressReader. All rights reserved.