Evil Recipes for App Domination

Been reading this post by Rishi Lakhani and it gave me some ideas (heck at least something Inbound is good for lol). Firstly, I suddenly felt the urge to go check the authorised apps in my own Twitter account. I urge you to do the same. Seriously, go do it now. You’ll be surprised how many of them you won’t even remember using, yet how many of them have both read and write permissions for your account.

One category of such apps is sites with Twitter-enabled user identification for commenting. See, I am not even talking about Twitter-powered user registrations here. Would you think much of authorising a site when posting a comment? Many of you literally do it on autopilot. After all, why not, this creates a link to your Twitter profile, shows your mug on there, maybe even your site URL, so must be good for your personal branding, right? Yet, how do you know what else the app you are authorising can do on your behalf, apart from user identification? Typically this doesn’t happen – but what if?

A few months back an exploit was making rounds on Twitter: you get a DM from one of your friends with a link and some compelling text urging you to click that link, once you do that you basically hand over the control of your account to the spammer, who then sends the same kind of DMs to your contacts, getting control over their accounts, etc. That one was not even asking for any authorisation, and had it been subtler and its activities more stretched in time people may have as well ended up unaware of being pwned and the initiators of the attack could have had whatever use of the possessed accounts they saw fit, like quietly following the accounts they wanted to promote to the range of tens of thousands of followers, quietly changing the links from user profiles (when was the last time you looked at your own profile to check what it says), quietly pushing whatever they wish to your followers, etc. The spammers chose the fast route – and their scam was shortlived, soon discovered and tackled by most users they affected.

There is another nightmare scenario I described in my comment to Rishi’s post – to expand on that, should one have a proper long term goal and some resources and imagination, a lot of evil things can be potentially accomplished. I am only talking about this in the open because I think this is pretty difficult to implement and depends on too many things working out to your benefit and most of those who would have the inclination to do anything like that would be too lazy to take all these steps anyways. Imagine an offer you have as a way to monetise, say, Amazon milk frogs, with proper high affiliate payouts, or maybe you’re a vendor, and Amazon milk frogs is one hell of a competitive term with cutthroat fight going on for it in the organic SERPs. But potential buyers and existing users of Amazon frogs are very active socially, and there are communities with plenty of users and some of them just HAPPEN to use Twitter accounts as a way of registration. Find the community with the most users, get their user list, see how active those users are on Twitter. Make another list of users with top number of followers on Twitter. Next, PURCHASE the community site or otherwise get access to the app… Give it some time, then one by one exploit the top users’ Twitter accounts to get more followers for your own account, push your offer to their followers (making it look like one endorsed by the highly authoritative person they follow whose accounts you’ve pwned), etc. Evil? – you bet it is. But if done carefully, it might not even get discovered. Legally, your arse is covered there as well (pretty much, I think – but I’m not a lawyer plus laws can differ in different jurisdictions) – after all they gave you the permissions and it’s there in writing, on Twitter.

Better yet, here is a way to exploit Author Rank that all the content marketers are blabbing about nonstop these days. Instead of Twitter/Facebook or in addition to these two, some sites offer using your Google account as a way to register/identify yourself when using them. When you opt for this, you basically grant an app permissions to access and modify your Google account – just like you give apps permissions to access and modify your Facebook or Twitter account. Technically, nothing stops you from faking rel=”author” on any site you control by linking it up to another (unsuspecting) user’s Google+ account, but how much more weight would that faked rel=”author” have should you also add your blog to the list of places they contribute to in their profile! Again, probably much easier said than done – but just so you know, the risks are out there so watch out.

Comments are closed.