Sciencetext Tips & Tricks

Tech talk, social media, blogging, computing tips and tricks

Twitterank Phishing Scam

November 13th, 2008 · by David Bradley >> 9 Comments

TwitterAre you a narcissistic Twitter user like me? If so, you may have tested out Twitterank to see how well received are you’re tweets. If so, you may have been the victim of a phishing expedition. This from ZDNet:

Twitterrank has no apparent purpose beyond a sketchy numerical rating, and there are rumors circulating on Twitter this afternoon that it is basically a fishing [sic] expedition.

Time to remove the Twitterank script from any website on which you are displaying it and change your Twitter password ASAP.

Other sites reporting the possibility that Twitterank is nothing more than a scam include Mashable. It’s on NowPublic and AquariumDrinker has plenty to say about it.

However, I don’t think Twitterank is a genuine scam, it’s a name and shame system aimed at exposing just how easy social engineering is and also at shaming Twitter into releasing their API so that genuine applications of this kind can be developed properly without the security risk.

Look at the internals of Twitterank and you’ll see this disclaimer:

Disclaimer I am about to ask you for your Twitter user ID and password. You should be afraid. This is where you ask yourself, “Do I really want to find out my twitterank badly enough to give some random dude on the interweb my account info?” And if that’s not what you’re asking yourself, shame on you.

Here’s Twitterank’s response to the accusations: “No, I am not a phisher. I don’t even store your password. Your password gets used once to calculate your Twitterank, and is never stored on disk or any other permanent storage device. Having said that, people do need to be more careful about giving away their account information. I’m not evil, but the next guy might be.”

In some sense, Twitterank preys on user vanity and the viral effect of WordSpread(TM), whether or not it’s a genuine scam or simply an attempt to expose insecurity issues. Hear it as a wake-up call. You have been warned. If Twitterank isn’t a scam, the next site to ask for one of your social media passwords may well be. Don’t fall for it when other sites come bearing wonders and asking for passwords.

It seems quite apt that the free download of Vulnerability Management for Dummies is once again available through Sciencebase partner site.

9 responses so far ↓

  • David Bradley // Nov 13, 2008 at 2:12 pm

    Twitterank creator, Ryo Chijiiwa, responds to the scam accusations on ZDnet.

  • Kim Woodbridge // Nov 13, 2008 at 4:05 pm

    Interesting. I had seen all of this except for Ryo’s response on ZDnet. I think that overall people need to be more careful with their passwords and change them frequently. And if they want to test a tool like this, change their password, test the app., and then change the password again.

    I was amused that this happened the same day I posted an article asking if these ranking and grading systems even mattered.

  • David Bradley // Nov 13, 2008 at 4:24 pm

    I tried to get all this “out there” early on, as soon as I saw it this morning, but I guess a lot of people were trying to do that too. You’re right such a tool is just a bit of fun, nothing particularly relevant…just like Google toolbar PR, in fact ;-)

  • Roger // Nov 13, 2008 at 5:08 pm

    The commonsense approach is simply not to use sites where you can’t be sure of their intent or security protocols.

    It’s the downside of APIs that mashup data from secure sites, I suppose.

  • Ari Herzog // Nov 13, 2008 at 5:20 pm

    I was on the road all day, using my BlackBerry – had seen a few tweets about this service but that’s the extent of my involvement.

    So, I sit back and watch the rumors and responses fly back and forth.

    You’re right about password security and it raises the issue which can’t be repeated enough: If you’re not going to jump into a car with a stranger at the age of 7, don’t give your passwords to strangers without checking them out.

  • Andy // Nov 13, 2008 at 11:36 pm

    An exclusive Interview with Kyo taken by me:
    http://www.phishmail.de/2008/11/twitterank-das-interview/

  • David Bradley // Nov 14, 2008 at 7:35 am

    Andy, thanks for sharing your interview with “Ryo”. I’m taking it on trust that it’s genuine even though you typed his name wrong. However, I don’t think he really says anything more in your interview than he has elsewhere in the media. It certainly doesn’t nail whether or not he’s genuine or not…he’s not going to admit in public to being a phisher of men (and women) in public after all.

  • Andy // Nov 17, 2008 at 9:53 am

    yes, you’re right, typed the name wrong, sorry… Change it to “Ryo”, if you like. At the End the Interview is no evidence or some really new Information, but I think it is worth watching this. I’m based in Germany and the Interview was taken to inform also only-german speakers and I don’t wanted copy other pages.

  • David Bradley // Nov 17, 2008 at 10:13 am

    Yeah, no worries about the typo, we all do it. I think he’s so much in the public eye now, that it will either make or break him. There seem to be 1000s of tweeters still bragging about their twitterank out there…

Leave a Comment