Are you a narcissistic Twitter user like me? If so, you may have tested out Twitterank to see how well received are you’re tweets. If so, you may have been the victim of a phishing expedition. This from ZDNet:
Twitterrank has no apparent purpose beyond a sketchy numerical rating, and there are rumors circulating on Twitter this afternoon that it is basically a fishing [sic] expedition.
Time to remove the Twitterank script from any website on which you are displaying it and change your Twitter password ASAP.
However, I don’t think Twitterank is a genuine scam, it’s a name and shame system aimed at exposing just how easy social engineering is and also at shaming Twitter into releasing their API so that genuine applications of this kind can be developed properly without the security risk.
Look at the internals of Twitterank and you’ll see this disclaimer:
Disclaimer I am about to ask you for your Twitter user ID and password. You should be afraid. This is where you ask yourself, “Do I really want to find out my twitterank badly enough to give some random dude on the interweb my account info?” And if that’s not what you’re asking yourself, shame on you.
Here’s Twitterank’s response to the accusations: “No, I am not a phisher. I don’t even store your password. Your password gets used once to calculate your Twitterank, and is never stored on disk or any other permanent storage device. Having said that, people do need to be more careful about giving away their account information. I’m not evil, but the next guy might be.”
In some sense, Twitterank preys on user vanity and the viral effect of WordSpread(TM), whether or not it’s a genuine scam or simply an attempt to expose insecurity issues. Hear it as a wake-up call. You have been warned. If Twitterank isn’t a scam, the next site to ask for one of your social media passwords may well be. Don’t fall for it when other sites come bearing wonders and asking for passwords.
It seems quite apt that the free download of Vulnerability Management for Dummies is once again available through Sciencebase partner site.