Twitterank, a social engineering phishing nightmare

Its been highly talked about. Is Twitterank out to steal your password or not? There is a disclaimer saying there not out to steal your twitterz. But I got to say Brianoberkirch has this right.

Twitterrank is a vast conspiracy I created
to steal all of your passwords and shame Twitter into OAuthing. And to
make you look vain

We laugh but who knows one day it will happen. Then how foolish will you feel as you put your vanity before privacy

I keed. But you really shouldn't hand out your password to some fly-by-night site.

And he's very right. We're far to ready to plunge our details into a site which has no history, feels dodgy and doesn't use any certificates of any kind. I know the author of the site has gone out of his/her way to alert people to the validity of the site but mistakes can be made too. Such things as poorly configured databases and applications leak user data. Also note, this ticks all the boxes for a scam. Type in your username and password and you will get to see what your ranking is. Social enginnering at its best. Hell send your friend your rating and ask them to join too.

Update Mashable is covering the story and Rainycat pretty much says the same. OAuth makes all this go away, this is why I'm a big believer in the open social stack.

Comments [Comments]
Trackbacks [0]